Yes, any token issued via OAuth by an authorization server is an OAuth token by definition. Which makes 'token_type=oauth2' an silly and confusing statement, given that any token issued via this method is also an OAuth 2.0 token... but for some reason only one is labeled oauth2.
EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Dirk Balfanz Sent: Sunday, February 06, 2011 11:16 PM To: Manger, James H Cc: OAuth WG Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) On Sun, Feb 6, 2011 at 4:26 AM, Manger, James H <james.h.man...@team.telstra.com<mailto:james.h.man...@team.telstra.com>> wrote: Dirk said: > FWIW, I agree with Brian - it [the "Bearer" scheme] should say OAuth > somewhere, because it's an OAuth token. OAuth can deliver any variety of bearer token: SAML, JWT, SWT, opaque id, anything else. Conversely, any of these tokens can come from a variety of sources: a user-delegation OAuth flow, a client-only OAuth flow, a flow with nothing to do with OAuth, a device interaction, manual configuration.... Yes - they're all still all OAuth tokens, though. As opposed to passwords, basic auth tokens, etc., (which are also bearer tokens, but not OAuth tokens). A server receives a bearer token in a request. Dirk, are you saying the contents of the token (at that it is a bearer token) is not enough for the server? No - I'm sure the server can look at the token and figure out that it's on OAuth token. All I'm saying is that if it's an OAuth token, we should call it an OAuth token. Dirk. Does the server also need to know that it came from an OAuth flow? If so, I suspect the server actually needs to know more than that: such as which OAuth flow was used (eg user-delegation, client-only, assertion, future device flow etc), or from which authorization server it came. I don't think a scheme name saying "OAuth" helps. -- James Manger
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
