On Sun, Jun 6, 2010 at 8:14 PM, Manger, James H > Defining an optional prefix for access_token values to indicate the format would work well. > I suggest a plain text label separated by, say, a "." from the rest of the > value. For example: > access_token=saml.fhHFhgf6575fhgFGrytr > There can be an IANA registry for prefixes if that is helpful. > A service currently supporting a single token format can start its > access_token values with "." so at least they will not accidentally clash > with any future values that do specify a format. > access_token=.6786345_JGJSgfjhsgfhj-ss_s > A service that will never need token format interop doesn't need to using any > prefix (empty or otherwise), and can use dots however it wants.
Slick! Andrew brought up a good point about interop between multiple token issuers. But that can be solved by data *inside* the access token. If a server really needs to crack open tokens from multiple issuers, it would work like this: parse the format off the front decode the rest of the token according to the format crack open the token to find a pointer to the issuer use that information to verify the token I don't think the prefix needs any kind of URI or namespacing. New token formats should be extremely rare. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
