Token type is as simple as informing the client how to use the token issued. If you tell it 'bearer' is means 'present it as is without having to do anything else'. If you tell it 'mac' is means 'construct a very specific signature base string and hmac it with the provided secret'. For JWT it means figure out what the token internals mean and use it as needed.
It is pretty straight forward. You give the client a token and tell it exactly what to do with it. EHL -----Original Message----- From: Mike Jones [mailto:michael.jo...@microsoft.com] Sent: Friday, December 03, 2010 5:08 PM To: Eran Hammer-Lahav; Marius Scurtescu Cc: oauth@ietf.org Subject: RE: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 My assumption about the new token_type parameter is that it would be used to communicate the data type of the token -- not the class of the token. I was imagining token_type values like: SWT JWT urn:oasis:names:tc:SAML:1.0:assertion urn:oasis:names:tc:SAML:2.0:assertion Or Eran, did you mean for the token_type to be more like the WS-Trust 1.3 wst:KeyType parameter, where values defined by that spec are: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey http://docs.oasis-open.org/ws-sx/wstrust/200512/Bearer I hope you meant the former, as this information would be generally useful (and something I know that our developers have asked for, based upon their deployment experiences). Thanks, -- Mike -----Original Message----- From: Eran Hammer-Lahav [mailto:e...@hueniverse.com] Sent: Thursday, December 02, 2010 12:23 PM To: Marius Scurtescu; Mike Jones Cc: oauth@ietf.org Subject: RE: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Marius Scurtescu > Sent: Thursday, December 02, 2010 12:19 PM > To: Mike Jones > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 > > OAuth 2 Protocol Framework v11 introduces a new required parameter: > token_type. > > Should the Bearer Token spec define the value for this parameter for > bearer tokens? Yes. 'bearer' seems sensible, but I don't really care. I am going to define 'mac' in my own extension. > Are we blocked by the missing section 6.1. (Access Token Types) of the > Framework spec? No. It will simply describe the general flow and how to define (register) token types and authentication methods for those types. IOW, all spec-talk. You can decide how it works and implement and deal with the extension paperwork later. EHL > Marius > > > > On Wed, Dec 1, 2010 at 11:35 PM, Mike Jones > <michael.jo...@microsoft.com> wrote: > > Draft -01 of the OAuth 2.0 Bearer Token specification is now available. > > This version is intended to accompany OAuth 2.0 draft -11. This > > draft is based upon the September 3rd preliminary OAuth 2.0 draft by > > Eran Hammer-Lahav, with input from David Recordon and several others. > > It includes an extensive Security Considerations section, for which > > Hannes Tschofenig gets significant credit. > > > > > > > > The draft is available at these locations: > > > > http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-01.tx > > t > > > > http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-01.xm > > l > > > > http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.html > > > > http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.txt > > > > http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.xml > > > > http://svn.openid.net/repos/specifications/oauth/2.0/ (Subversion > > repository, with html, txt, and html versions available) > > > > > > > > If any of you believe that you should be added to the > > Acknowledgments in Appendix A, please drop me a note and I'll be glad to > > add you. > > > > > > > > -- Mike > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
