On Sun, Jun 6, 2010 at 8:14 PM, Manger, James H > Defining an optional
prefix for access_token values to indicate the format would work well.
> I suggest a plain text label separated by, say, a "." from the rest of the 
> value. For example:
>  access_token=saml.fhHFhgf6575fhgFGrytr
> There can be an IANA registry for prefixes if that is helpful.
> A service currently supporting a single token format can start its 
> access_token values with "." so at least they will not accidentally clash 
> with any future values that do specify a format.
>  access_token=.6786345_JGJSgfjhsgfhj-ss_s
> A service that will never need token format interop doesn't need to using any 
> prefix (empty or otherwise), and can use dots however it wants.

Slick!

Andrew brought up a good point about interop between multiple token
issuers.  But that can be solved by data *inside* the access token.
If a server really needs to crack open tokens from multiple issuers,
it would work like this:

parse the format off the front
decode the rest of the token according to the format
crack open the token to find a pointer to the issuer
use that information to verify the token

I don't think the prefix needs any kind of URI or namespacing.  New
token formats should be extremely rare.

Cheers,
Brian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to