Re: [OAUTH-WG] Mandatory-to-implement token type

William Mills <> Fri, 02 December 2011 04:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4872311E80AA for <>; Thu, 1 Dec 2011 20:59:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.523
X-Spam-Status: No, score=-17.523 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MaCmrgEUHLTk for <>; Thu, 1 Dec 2011 20:59:03 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 4FD0611E80A6 for <>; Thu, 1 Dec 2011 20:59:03 -0800 (PST)
Received: from [] by with NNFMP; 02 Dec 2011 04:58:56 -0000
Received: from [] by with NNFMP; 02 Dec 2011 04:58:56 -0000
Received: from [] by with NNFMP; 02 Dec 2011 04:58:56 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 38105 invoked by uid 60001); 2 Dec 2011 04:58:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ginc1024; t=1322801935; bh=CX95AztNtxsJUZSjWPx5qVIdaRMzxUjtOp3wbGXR+WQ=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=p7usqffQ/b1OEAjTid4Ex84tBRyznNGPSdyqgXj8vnVUZBoBM486tWZkir/B/4KMqqQ+dmJj52uZzDEfqLRPL0tvGBnAcLHFpcHEClR7z+julqZjxUJH5u4grVN7Dfz1B7aK0PhyWlFAVsVoto1PmxYUkSqGbe1X2tL60G02eh0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024;; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=VWbGGT6bwAPQrt/CnW/y6QUmctQhonzAUzJd8VdbDu+ipAl7DK84d6HW8dl0DeUsSWOtAQmohUd6oOoSvHjXS2qnomXqdClICi7OYrUlUsXpZaCwJMXeNckxvbCoAkmmkGeUKYxNIEE5nG02x7lFPOTjqAuGjvRDE20bFg1RvC0=;
X-YMail-OSG: YPhiwNIVM1lJBzugdlbFPBor94nnm8uDpeRJz9JyGg2m9QK sN95WyzS9Kl57dXkAaRlrnHcR3hdE_q_4p6zzTcVaYSxXwDked7bWgs96vYT SxJWacefaWIzagTqDoQpyh9hT_XSJkm_mqYCu0I0b8USpv7_b2m53UlMso0X wou0366L3IK9G.80NM_Thcz2aXs17hjhFMrtZlnVz_Rh_9YFPAK3U8O6t2WA snxp7M2cZMv6inef0hB8P.eFjxMpg_MUlqcH9kkYSCNMtgdiiux8XMxlyY42 jKSAulQphyhfPO.H0_UglHqfSuDROe3ZDb3FBeMFNdza003NbETnN0L0vF5A N9ZDuWjkn7mJs0AjvBSArZd0umeipZJ6QwaUOGU2Yd6RiD5dF7tm_Dxckp1a AMiFlURejyXSGMem.fFJ2YKw-
Received: from [] by via HTTP; Thu, 01 Dec 2011 20:58:55 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/
References: <> <> <> <>
Message-ID: <>
Date: Thu, 01 Dec 2011 20:58:55 -0800
From: William Mills <>
To: Michael D Adams <>, Stephen Farrell <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1055047407-1613328379-1322801935=:94232"
Cc: Barry Leiba <>, oauth WG <>
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Dec 2011 04:59:04 -0000

The problem is that token type AWESOME may have different mechanics for submission.  The client has to know how to use it.  I do agree we have a disconnect here, and that what we have right now leans completely on "reading the service documentation" for the Auth and RP endpoints you want to use.

 From: Michael D Adams <>
To: Stephen Farrell <> 
Cc: Barry Leiba <>; oauth WG <> 
Sent: Thursday, December 1, 2011 6:14 PM
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
On Thu, Dec 1, 2011 at 5:44 PM, Stephen Farrell
<> wrote:
> On 12/02/2011 01:38 AM, Michael D Adams wrote:
>> So an MTI token type + no client preference is equivalent to there
>> only existing one token type.
> Maybe.
> However, no MTI token type + no client preference = no interop.
> So I don't get your argument. (When thinking of interop.)

I think it's me that doesn't understand your argument.

Suppose an authorization server implements OAuth2 and has some
requirement that the MTI token type doesn't provide (as William Mills
suggested), so the server implements token type AWESOME in addition to
token type MTI.

Whenever a token is requested, the authorization server issues one of
type AWESOME.  Type MTI is never issued.

Why bother implementing type MTI if it's never used?

Additionally, the authorization server could not implement type MTI
but claim it did.  There's no way for a third party to verify the
claim since the authorization server never issues a token of type MTI.

If tokens of type MTI are never used by this server, how does the MTI
token type help interop?  Is your argument that this server would say
"No, we do not support OAuth2.  We do, however, support
OAuth2+AWESOME."?  That semantic argument I understand, but I am
ignorant as to how/if it fits into the RFC.
OAuth mailing list