No, it's great exactly *because* you can represent things in the access token that make sense for your app/domain and it stays opaque to the parties who shouldn't care: the clients. Access tokens aren't opaque to the AS (or PR), because of OAuth's flexibility of token formats you can use what works.
--Justin /sent from my phone/ Anthony Nadalin <tony...@microsoft.com> wrote: >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
