- From: Graham Klyne <gk@ninebynine.org>
- Date: Sun, 08 Sep 2019 09:11:02 +0100
- To: Adrian Hope-Bailie <adrian@hopebailie.com>, uri@w3.org
I'd say this could be problematic. E.g., see: https://www.w3.org/TR/capability-urls/#advantages https://stackoverflow.com/questions/4833314/are-secret-urls-truly-secure (and other responses to googling "secrets in urls"). #g -- On 06/09/2019 16:53, Adrian Hope-Bailie wrote: > Does anyone know of a specification or documented convention for providing a > bearer token in a URL? > > I.e. There are a number of HTTP clients that will interpret userinfo in a URL as > being the value to send in an HTTP Authorization header using Basic auth. > > I assume this is a peculiarity of HTTP and I note the username:password form is > deprecated in RFC3986. > > Does a convention of https://:<token>@host make sense? > ie. empty username and token SHOULD never be displayed in the clear because it > is after the colon. > > The use case here is providing, for example, a callback URL that is secured > using a bearer token. > Or storing the URL in config in a form that is easily serialized to a string > without needing to define an encoding and format etc.
Received on Sunday, 8 September 2019 08:11:29 UTC