Dirk said: > FWIW, I agree with Brian - it [the "Bearer" scheme] should say OAuth > somewhere, because it's an OAuth token.
OAuth can deliver any variety of bearer token: SAML, JWT, SWT, opaque id, anything else. Conversely, any of these tokens can come from a variety of sources: a user-delegation OAuth flow, a client-only OAuth flow, a flow with nothing to do with OAuth, a device interaction, manual configuration.... A server receives a bearer token in a request. Dirk, are you saying the contents of the token (at that it is a bearer token) is not enough for the server? Does the server also need to know that it came from an OAuth flow? If so, I suspect the server actually needs to know more than that: such as which OAuth flow was used (eg user-delegation, client-only, assertion, future device flow etc), or from which authorization server it came. I don't think a scheme name saying "OAuth" helps. -- James Manger
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
