token_type should be an HTTP authentication scheme name (eg "BASIC" or "BEARER" or "MAC"...). The core spec (draft-ietf-oauth-v2) should explicitly state this rule. >From the token_type, the client app knows which auth scheme to use. [renaming the parameter from "token_type" to "scheme" would help.]
Defining token_type to be an HTTP authentication scheme name effectively defines how OAuth2 can deliver credentials for auth schemes that are independent of OAuth2, eg schemes specified before OAuth2 existed. It eliminates the need for additional specs just to provide a link from OAuth2 to every authentication mechanism. Some auth mechanisms for which OAuth2 could deliver credentials are not actually HTTP authentication schemes. Eg OAuth2 delivering an id/secret to use in TLS-PSK (pre-shared key). For that you will need a small additional spec to define a token_type value -- ie define a pseudo-HTTP-auth-scheme-name. P.S. Related to this, the bearer spec (draft-ietf-oauth-v2-bearer) must not use the "OAuth2" scheme name. It needs its own scheme name, eg "BEARER". -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
