Re: [OAUTH-WG] "access grant" terminology

[Eran Hammer-Lahav <eran@hueniverse.com>]

On 7/10/10 7:46 PM, "Brian Eaton" <beaton@google.com> wrote:

> The term "access grant" in the -09 spec is a bit odd.  Normally
> "access grant" or "permission grant" would refer to a specific policy
> decision made by a resource owner.
> 
> But that's not how the -09 spec uses the term.  The -09 spec refers to
> authorization codes and assertions as "access grants".  Again, that's
> weird.  Normally an assertion would be referred to as a "credential",
> not a grant.

Access grant is something that represents the decision made by the resource
owner. If the resource owner approves access, it is represented by a
authorization code. If the resource owner shares its password, it is
equivalent to unlimited access grant.

I coined the term based on common language, not on any existing terminology.
If there is a real conflict here, I am happy to consider another term, but
it doesn't sound like this is the case, or that the term is used against its
meaning.

> I think the term "authorization credential" might be a better fit than
> "access grant".
> 
> It certainly describes the purpose of the authorization code and the
> assertion.  And the term "credential" is normally used to describe
> things that need to be verified and protected.

I think authorization credential is going to confuse most readers. The spec
refers to credentials almost exclusively when dealing with identifier and
password (client, end-user), or as a general term for client authentication.
Authorization is specific to the end-user authorization endpoint and will be
confusing when used with assertions and other grant types.

So I'm open to other ideas but not this one.

Note that since this term impacts the name of the current 'grant_type'
parameter, changing it means code changes.

If anyone has a last minute idea please share (or if you are happy with the
current grant type). I expect it to be annoying to change once -10 is stable
for 4 weeks.

EHL