-
Notifications
You must be signed in to change notification settings - Fork 953
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should the token in the header be base64 encoded? #100
Comments
This is definitely unclear. Base64 is usually implemented to bypass issues such as escaping characters in a URL. Tokens do not contain such characters (to my knowledge), and can be passed in the header, where such problems don't apply. I imagine this is handled per-implementation. |
Here is at least one example of base64-encoding being removed: |
Yeah, links in that PR confirm that base64 encoding is not required, though I think it would have been clearer for the spec to require it. Oh, well. |
Yeah, this answer says it all, and is super helpful
|
Doesn't it say to use base64 encoding. This phrase, "The syntax of the "Authorization" header field for this scheme follows the usage of the Basic scheme defined in Section 2 of [RFC2617]" points out to base64 encoding. As per RFC2617, Basic schema encode username password in base64 encoding. |
The spec is not clear about this, and the examples don't look encoded.
However, the spec points you to http://tools.ietf.org/html/rfc6750#section-2.1
which says:
So does b64token in this case mean it should be encoded? It also points to Authorization: Basic where the credentials are base64 encoded.
The text was updated successfully, but these errors were encountered: