Bearer Tokens in URLs from Adrian Hope-Bailie on 2019-09-06 (uri@w3.org from September 2019)

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Fri, 6 Sep 2019 17:53:08 +0200
To: uri@w3.org
Message-ID: <CA+eFz_L+DpqjkeUcX2wRspyQGybUTjLFPCvmjdEj-JcrU-Yzjg@mail.gmail.com>

Does anyone know of a specification or documented convention for providing
a bearer token in a URL?

I.e. There are a number of HTTP clients that will interpret userinfo in a
URL as being the value to send in an HTTP Authorization header using Basic
auth.

I assume this is a peculiarity of HTTP and I note the username:password
form is deprecated in RFC3986.

Does a convention of https://:<token>@host make sense?
ie. empty username and token SHOULD never be displayed in the clear because
it is after the colon.

The use case here is providing, for example, a callback URL that is secured
using a bearer token.
Or storing the URL in config in a form that is easily serialized to a
string without needing to define an encoding and format etc.

Received on Friday, 6 September 2019 15:53:43 UTC