- From: Nico Williams <nico@cryptonector.com>
- Date: Wed, 3 Dec 2025 16:18:47 -0600
- To: ietf-http-wg@w3.org, oauth@ietf.org
[I should have cc'ed ietf-http-wg@w3.org on my post to oauth@ietf.org, so I'm reposting, and this time with a request about whether this should become a WG item for either WG. Not sure which to set as In-Reply-To:, so I didn't.] I just submitted draft-williams-http-bearer-extension-00.txt (see forwarded message below). - https://www.ietf.org/archive/id/draft-williams-http-bearer-extension-00.txt - https://datatracker.ietf.org/doc/html/draft-williams-http-bearer-extension - https://datatracker.ietf.org/doc/draft-williams-http-bearer-extension/ Abstract: This document specifies an improved HTTP 401 and 407 flow for Bearer authentication where user-agents (or client applications) can automatically fetch requested tokens from a Security Token Service (STS). A fallback to an OpenID Connect (OIDC) redirect flow is included. This improved 401/407 Bearer flow, when used, elides the need for Proof Key for Code Exchange (PKCE) and does not impose on application Universal Resource Identifier (URI) query parameter design. As well this extension allows for user-agent caching of tokens. This is motivated by things like: - `curl` and such don't know how to respond to 401s w/ WWW-Authenticate: Bearer except when a token is provided a priori by the user. This is quite cumbersome as compared to, say, Kerberos. - proxy auth cases - having a flow that neither requires PKCE nor camps on URI q-params I expect the last two to resonate here, or at least I hope so. I think this I-D should probably become a WG item for one or the other WG. I'd love to have some feedback on the I-D and where, if anywhere, it should be considered as a WG item, thanks, Nico --
Received on Wednesday, 3 December 2025 22:18:57 UTC