Re: [OAUTH-WG] Mandatory-to-implement token type

[Eran Hammer-Lahav <eran@hueniverse.com>]

> 1. Should we specify some token type as mandatory to implement?  Why or
> why not (*briefly*)?

On the server - no. It makes no sense because the server dictates the token type so if it decides to never issue the mandated type, what's the point in implementing?

On the client, maybe. If the server knows that a client will always understand a set of token types, it can choose to use that and ensure interop (or not). In practice, mandating will add no real interop value. Almost every client will hard-code the token types it needs to understand and providers are not likely to support more than one or to change it. We can mandate a type for 'generic clients' so that libraries support both, but it won't actually make any difference.

Bottom line, this is a red herring. OAuth doesn't really provide this level of interop and was never designed for that. In the future, when we have more interop web APIs (photos, social, etc.) and we have real world experience with discovery, this will be important. But that's a few years away (at least).
 
> 2. If we do specify one, which token type should it be?

This is a no win situation. Most providers will ignore a requirement to support MAC, or will support it but will not see much usage because most developers when given the choice will go with Bearer. Mandating Bearer will be ignored by providers who want better security and will most likely render MAC pointless. If we mandate Bearer, I see no point in even publishing MAC as it will turn into a purely theoretical exercise.

Given the history of this group, no change is the only likely consensus.

EHL