-1 I don't agree fully here.
Phil Sent from my phone. On 2011-02-07, at 0:02, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > Yes, any token issued via OAuth by an authorization server is an OAuth token > by definition. Which makes ‘token_type=oauth2’ an silly and confusing > statement, given that any token issued via this method is also an OAuth 2.0 > token… but for some reason only one is labeled oauth2. > > > > EHL > > > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Dirk Balfanz > Sent: Sunday, February 06, 2011 11:16 PM > To: Manger, James H > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) > > > > > > On Sun, Feb 6, 2011 at 4:26 AM, Manger, James H > <james.h.man...@team.telstra.com> wrote: > > Dirk said: > > > FWIW, I agree with Brian - it [the “Bearer” scheme] should say OAuth > > somewhere, because it's an OAuth token. > > > > OAuth can deliver any variety of bearer token: SAML, JWT, SWT, opaque id, > anything else. > > Conversely, any of these tokens can come from a variety of sources: a > user-delegation OAuth flow, a client-only OAuth flow, a flow with nothing to > do with OAuth, a device interaction, manual configuration…. > > Yes - they're all still all OAuth tokens, though. As opposed to passwords, > basic auth tokens, etc., (which are also bearer tokens, but not OAuth tokens). > > A server receives a bearer token in a request. > > Dirk, are you saying the contents of the token (at that it is a bearer token) > is not enough for the server? > > No - I'm sure the server can look at the token and figure out that it's on > OAuth token. All I'm saying is that if it's an OAuth token, we should call it > an OAuth token. > > > > Dirk. > > > > Does the server also need to know that it came from an OAuth flow? If so, I > suspect the server actually needs to know more than that: such as which OAuth > flow was used (eg user-delegation, client-only, assertion, future device flow > etc), or from which authorization server it came. I don’t think a scheme name > saying “OAuth” helps. > > > > -- > > James Manger > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
