I actually think the protected resource specifies the token type(s) in either
it's service docs or discovery information, and it does know knowing it's
authentication server will issue compatible tokens. The client may encounter
endpoints requiring token types it doesn't support, and it needs to fail
gracefully. The client may select any supported OAuth 2 scheme it understands
which the PR supports.
I am not in favor of specifying MUST for any particular flavor of token.
What is the value of mandating a token type?
-bill
________________________________
From: Eran Hammer-Lahav <e...@hueniverse.com>
To: John Bradley <ve7...@ve7jtb.com>; Torsten Lodderstedt
<tors...@lodderstedt.net>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Sent: Wednesday, November 2, 2011 1:11 PM
Subject: Re: [OAUTH-WG] AD review of -22
Do you want to see no change or adjust it to client must implement both, server
decides which to use.
EHL
________________________________
From: oauth-boun...@ietf.org [oauth-boun...@ietf.org] On Behalf Of John
Bradley [ve7...@ve7jtb.com]
Sent: Wednesday, November 02, 2011 1:06 PM
To: Torsten Lodderstedt
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] AD review of -22
+1
On 2011-11-02, at 4:45 PM, Torsten Lodderstedt wrote:
Hi Stephen,
>
>I'm concerned about your proposal (7) to make support for MAC a MUST for
>clients and BEARER a MAY only. In my opinion, this does not reflect the
>group's consensus. Beside this, the security threat analysis justifies usage
>of BEARER for nearly all use cases
as long as HTTPS (incl. server authentication) can be utilized.
>
>regards,
Torsten.
>Am 13.10.2011 19:13, schrieb Stephen Farrell:
>
>>Hi all,
>>
>>Sorry for having been quite slow with this, but I had a bunch
>>of travel recently.
>>
>>Anyway, my AD comments on -22 are attached. I think that the
>>first list has the ones that need some change before we push
>>this out for IETF LC, there might or might not be something
>>to change as a result of the 2nd list of questions and the
>>rest are really nits can be handled either now or later.
>>
>>Thanks for all your work on this so far - its nearly there
>>IMO and we should be able to get the IETF LC started once
>>these few things are dealt with.
>>
>>Cheers,
>>S.
>>
>>
>>
>>
>>_______________________________________________
OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
