Below is proposed text where a token is referred to as an identifier.
Here is the definition of identifier from RFC 4949:
$ identifier
(I) A data object -- often, a printable, non-blank character
string -- that definitively represents a specific identity of a
system entity, distinguishing that identity from all others.
(Compare: identity.)
Many tokens in practice don't fit this definition. Here is suggested new
language:
Abstract
This specification describes the OAuth 2.0 protocol. OAuth provides
a method for making authenticated HTTP requests using a token - a
string used to denote an access grant with specific scope,
duration, and other attributes. Tokens are issued to third-party
clients by an authorization server with the approval of the resource
owner. OAuth defines multiple flows for obtaining a token to support
a wide range of client types and user experience.
access token
A token used by the client to make authenticated requests on behalf of
the resource owner. Access tokens may have a matching secret and are usually
opaque to the client.
refresh token
A token used by the client to replace an expired
access token with a new access token without having to involve
the resource owner. A refresh token is used when the access
token is valid for a shorter time period than the duration of
the access grant approved by the resource owner.
token
A string that represents the authorization granted to a client. The
string may contain the authorization information and be signed, or the string
may be an identifier that is used to retrieve the authorization information.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
