Hiya,
On 12/02/2011 02:14 AM, Michael D Adams wrote:
On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell
<stephen.farr...@cs.tcd.ie> wrote:
On 12/02/2011 01:38 AM, Michael D Adams wrote:
So an MTI token type + no client preference is equivalent to there
only existing one token type.
Maybe.
However, no MTI token type + no client preference = no interop.
So I don't get your argument. (When thinking of interop.)
I think it's me that doesn't understand your argument.
That can be mutual:-)
Suppose an authorization server implements OAuth2 and has some
requirement that the MTI token type doesn't provide (as William Mills
suggested), so the server implements token type AWESOME in addition to
token type MTI.
Whenever a token is requested, the authorization server issues one of
type AWESOME. Type MTI is never issued.
Why bother implementing type MTI if it's never used?
That, I think, assumes that the requesting party only ever works with
the AWESOME token-type issuer. Seems a shame to me that whoever wrote
that code can't work with any other MTI token-type issuer as well, at
least.
Additionally, the authorization server could not implement type MTI
but claim it did. There's no way for a third party to verify the
claim since the authorization server never issues a token of type MTI.
Irrelevant. I could claim to be handsome. Would work equally
well.
If tokens of type MTI are never used by this server, how does the MTI
token type help interop?Is your argument that this server would say
"No, we do not support OAuth2. We do, however, support
OAuth2+AWESOME."? That semantic argument I understand, but I am
ignorant as to how/if it fits into the RFC.
No, my argument is that there are many servers and many clients on
the Internet and having them all have a way to interop, if they
choose to do so, is a good thing in itself. Writing an RFC so that
its a random pick as to whether they do or don't interop is not IMO
a good thing.
S.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
