The OPTIONAL realm parameter is added and interpreted per [RFC2617], section 1.2. [OAuth 1.0]
What is the difference between a request with and without a realm field?
9
votes
2 Answers
6
votes
The Provider basically decides if this is of any importance. It is the counterpart of the WWW-authenticate response header. If a sever returns a WWW-authenticate header of 'OAuth realm="https://api.example.com"' then it probably parses that value from the Authenticate request header in the OAuth process.
These headers have a more direct implication when using HTTP-basic authentication since all browsers support this.
When using OAuth and WWW-authenticate header it is mostly good form I would say. With the added benefit of not having API responses cached in proxies/nodes across the Internet.
1
votes
The authentication parameter realm is defined for all authentication schemes:
realm = "realm" "=" realm-value realm-value = quoted-stringThe realm directive (case-insensitive) is required for all
authentication schemes that issue a challenge. The realm value
(case-sensitive), in combination with the canonical root URL (the
absoluteURI for the server whose abs_path is empty; see section 5.1.2 of [2]) of the server being accessed, defines the protection space.
These realms allow the protected resources on a server to be
partitioned into a set of protection spaces, each with its own
authentication scheme and/or authorization database. The realm value
is a string, generally assigned by the origin server, which may have
additional semantics specific to the authentication scheme. Note that there may be multiple challenges with the same auth-scheme but
different realms.
