Nina Jeliazkova wrote on 05/05/2010 02:23 PM:
> Andreas Maunz wrote:
>> Nina Jeliazkova wrote on 05/05/2010 02:13 PM:
>>> Andreas Maunz wrote:
>>>> Personally, I am fine with end of May. Just wanted to give you an
>>>> update.
>>>> This also gives me some time to move the server to a dedicated
>>>> environment.
>>> OK.  Without looking /testing anything in AA, my wish list includes AA
>>> API as generic as possible, in order to accommodate solutions other than
>>> OpenSSO in future, by just changing the URL of token provider.
>>
>> Sure, I agree!
> Great!
>
> BTW,  could you evaluate /summarize what are pros/cons for having the AA
> token in a custom HTTP header, vs. into URL  (URL length for example) ?
> What is the recommended practice?

Pros of token in query string:
- Can easily pass URLs with working token around

Cons of token in query string:
- Need to URL-encode the token string
- URL gets longer
- Token is the key for access. Using it in URL might be risky. Using it 
in a header is safe when using SSL (correct?).

There is no general rule for usage in practice. For example, Google 
supports both 
(http://code.google.com/apis/gdata/docs/auth/overview.html), while 
OpenSSO uses URL query string fields. Perhaps we could also support 
both, at least between client and webservice.

Regards
Andreas