On Thu, Dec 1, 2011 at 6:27 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > On 12/02/2011 02:14 AM, Michael D Adams wrote: >> Suppose an authorization server implements OAuth2 and has some >> requirement that the MTI token type doesn't provide (as William Mills >> suggested), so the server implements token type AWESOME in addition to >> token type MTI. >> >> Whenever a token is requested, the authorization server issues one of >> type AWESOME. Type MTI is never issued. >> >> Why bother implementing type MTI if it's never used? > > That, I think, assumes that the requesting party only ever works with > the AWESOME token-type issuer. Seems a shame to me that whoever wrote > that code can't work with any other MTI token-type issuer as well, at > least.
Sorry, I was unclear. Suppose awesome.com only issues token of type AWESOME and mti.com only issues tokens of type MTI. Suppose further that client X understands how to handle both types of tokens and can receive and use tokens from both awesome.com and mti.com. My question does not concern the client. My question is: Why should awesome.com bother implementing type MTI if it will never issue such a token? >> Additionally, the authorization server could not implement type MTI >> but claim it did. There's no way for a third party to verify the >> claim since the authorization server never issues a token of type MTI. > > Irrelevant. I could claim to be handsome. Would work equally > well. I claim the argument helps show the meaninglessness of defining an MTI token type, but I think my statement of it is poorly formulated and trying to restate it more clearly will just take us down a road with as much relevance to the discussion as you grant my initial statement :) So I concede. >> If tokens of type MTI are never used by this server, how does the MTI >> token type help interop?Is your argument that this server would say >> >> "No, we do not support OAuth2. We do, however, support >> OAuth2+AWESOME."? That semantic argument I understand, but I am >> ignorant as to how/if it fits into the RFC. > > No, my argument is that there are many servers and many clients on > the Internet and having them all have a way to interop, if they > choose to do so, is a good thing in itself. Writing an RFC so that > its a random pick as to whether they do or don't interop is not IMO > a good thing. Thanks. I understand better what you're saying. I believe you're saying: 1. In a world where there is a MTI token type, my hypothetical only-issue-tokens-of-type-AWESOME has explicitly opted out of interoperability. 2. In a world where there is no MTI token type, interoperability becomes ad hoc and so non-existant. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
