If I read section 8.4 correctly it seems that new response types can be defined but composite values must be registered explicitly.
I don't think this approach scales too well. OpenID Connect for example is adding a new response type: id_token. id_token can be combined with either code or token and potentially with both of them, the following combinations must be registered as a result: code+id_token token+id_token code+token+id_token and this assumes that code+token is already registered. I think it makes more sense to define response_type as a space separated list of items, where each item can be individually registered. I do realize that this complicates things quite a bit (not we have to define and deal with both composite response_type and the individual items). As a side note, using + as separator could cause lots of problems. If people naively type "code+toke" it will be decoded as "code token". No one will remember the hex code for +. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
