On Sun, Feb 6, 2011 at 4:26 AM, Manger, James H < james.h.man...@team.telstra.com> wrote:
> Dirk said: > > > FWIW, I agree with Brian - it [the “Bearer” scheme] should say OAuth > somewhere, because it's an OAuth token. > > > > OAuth can deliver any variety of bearer token: SAML, JWT, SWT, opaque id, > anything else. > > Conversely, any of these tokens can come from a variety of sources: a > user-delegation OAuth flow, a client-only OAuth flow, a flow with nothing to > do with OAuth, a device interaction, manual configuration…. > Yes - they're all still all OAuth tokens, though. As opposed to passwords, basic auth tokens, etc., (which are also bearer tokens, but not OAuth tokens). > A server receives a bearer token in a request. > > Dirk, are you saying the contents of the token (at that it is a bearer > token) is not enough for the server? > No - I'm sure the server can look at the token and figure out that it's on OAuth token. All I'm saying is that if it's an OAuth token, we should call it an OAuth token. Dirk. > Does the server also need to know that it came from an OAuth flow? If so, I > suspect the server actually needs to know more than that: such as which > OAuth flow was used (eg user-delegation, client-only, assertion, future > device flow etc), or from which authorization server it came. I don’t think > a scheme name saying “OAuth” helps. > > > > -- > > James Manger > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
