On Wed, Jun 10, 2015 at 06:32:40PM +0000, Basney, Jim wrote:
Hi Mischa,
Thanks again for the comments. I've started to update http://goo.gl/VnMKXS based on our discussion. Hi Jim,
great! I'll have a look in detail later (probably during TNC).
Yes, I'm convinced. :)
If I understand correctly it means that GET requests to the GetCert endpoint will contain two Authorization headers, one of type Basic containing the client_id and client_secret and another of type Bearer containing the access_token. However, as previously discussed, we prefer POST requests to the GetCert endpoint, in which case client_id, client_secret, and access_token are included in the application/x-www-form-urlencoded body. I've updated http://goo.gl/VnMKXS to match my understanding.
I think that sounds fine. One remark: is it allowed to have multiple Authorization headers? It's not entirely clear from https://tools.ietf.org/html/rfc7235#section-4.2 I think it's probably not intended, as it explicitly mentions in 4.1 that there can be multiple WWW-Authenticate headers... For a POST this is obviously not an issue. Also, putting the client_secret in a GET is generally not a good idea for the same reasons as we discussed before (ends up in logfiles, browser caches etc.). Best wishes, Mischa -- Nikhef Room H155 Science Park 105 Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msalle@nikhef.nl __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..