+1 to David. If it’s a redirect, 307 is more appropriate. It’s up to the AS to decide if the client should do MTLS or not, if there’s an option.
— Justin On Feb 4, 2019, at 12:17 PM, David Waite <da...@alkaline-solutions.com<mailto:da...@alkaline-solutions.com>> wrote: My understanding is that a permanent redirect would be telling the client (and any other clients getting cached results from an intermediary) to now stop using the original endpoint in perpetuity for all cases. I don’t think that is appropriate (in the general case) for an endpoint with request processing business logic behind it, since that logic may change over time. -DW On Feb 4, 2019, at 6:28 AM, Brian Campbell <bcampbell=40pingidentity....@dmarc.ietf.org<mailto:bcampbell=40pingidentity....@dmarc.ietf.org>> wrote: Yeah, probably. On Sat, Feb 2, 2019 at 12:39 AM Neil Madden <neil.mad...@forgerock.com<mailto:neil.mad...@forgerock.com>> wrote: If we go down the 307 route, shouldn’t it rather be a 308 (permanent) redirect? It seems unnecessary for the client to keep trying the original endpoint or have to remember cache-control/expires timeouts. — Neil _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
