Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt

[Eran Hammer-Lahav <eran@hueniverse.com>]

> -----Original Message-----
> From: Marius Scurtescu [mailto:mscurtescu@google.com]
> Sent: Wednesday, January 26, 2011 1:43 PM
> To: Eran Hammer-Lahav
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
 
> >> 1. The token_type parameter is required in responses from the server.
> >> If the server supports multiple formats, which one will be used? In
> >> this case, would it make sense to allow the client to request a specific
> format?
> >>
> >> For example, if the authorization server supports both MAC and
> >> BEARER, which one will the server issue?
> >
> > It might in some cases, but I suspect most providers are going to decide
> which scheme provides the right level of security for them and just use that.
> If you are going to allow both MAC and BEARER, you are basically letting
> clients decide which level to operate at. Do you have a need or plan to
> support multiple token types?
> 
> For now we are planning to support only bearer, but I am sure some form of
> signed tokens will follow sooner than later. At which point we would have to
> support both.
> 
> In most cases I think it is up to the client to decide.

Interesting. Given that you are not planning on supporting this in the near future, I think we should wait until there is more deployment experience in allowing the client to negotiate the token type. But of course, you are welcome to submit a proposal for inclusion on the WG new charter.

EHL