John, >> access_token=saml.fhHFhgf6575fhgFGrytr
> What is the advantage of doing it this way over having a separate field? Client simplicity (code and mental model). > What if the format is a URI? That is a choice between the AS and PR that is irrelevant to the client app -- so why should the client app have to worry about it (and any extra escaping it entails). >> There can be an IANA registry for prefixes if that is helpful. > Personally, I'd like to see this solution be a bit more distributed, and a > registry isn't. I hope there aren't so many common, shared formats that a distributed solution is necessary. But you can make the prefix a domain name, or a base64url-encoded URI, or a hash of a URI etc if you really want it distributed. Andrew Arnott said: > But token_format is not the idea I think. It's more like token_origin. I hope we don't need a 3rd "opaque string" for the client app to transfer from the AS to PR. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
