Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You had me until "Please support HTTP basic auth for client authentication".

OAuth 2.1 draft spec emphasizes that basic auth is no longer preferred. I read that to mean: MAY, or perhaps even SHOULD NOT.



What is the problem with that? You know that the client credentials flow will normally just send the exact same information, principal and secret, in the form, right? How is sending a header with the information bad, specially when it was being done for ages already in this use case?


> How is sending a header with the information bad, specially when it was being done for ages already in this use case?

leeches

(To actually answer your question, there are a number of tricks you can use to prevent abuse that aren't effective when using http basic)




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: