Re: [OAUTH-WG] Mandatory-to-implement token type

Michael D Adams <mike@automattic.com> Fri, 02 December 2011 01:39 UTC

Return-Path: <michael.d.adams@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81E4C11E80E1 for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2011 17:39:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ouw5Y5ejF3vP for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2011 17:39:09 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id E7C9011E80D0 for <oauth@ietf.org>; Thu, 1 Dec 2011 17:39:08 -0800 (PST)
Received: by ywm13 with SMTP id 13so2944333ywm.31 for <oauth@ietf.org>; Thu, 01 Dec 2011 17:39:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=U6ThrA46vSEH8GKABvQNlKEUtiW+FFQPIlaa1FUt46U=; b=F/U4AuHHEKPinEAuJoshTxGEEbdyCaIDCoZPA9aC4hy5KsARKC1fo7qOLv4nEu0hMM TR0HrMP7cNfcM5BM3LbXtF964+DfEtkJKziLHAEQT7CGOk3pNB7WSZ1f+GYFQ6wMaaW6 P5Hors5+zAjvwSGW8QJVMktDXCYHQEtVH+ePE=
Received: by 10.236.77.163 with SMTP id d23mr15740448yhe.34.1322789948216; Thu, 01 Dec 2011 17:39:08 -0800 (PST)
MIME-Version: 1.0
Sender: michael.d.adams@gmail.com
Received: by 10.101.116.15 with HTTP; Thu, 1 Dec 2011 17:38:46 -0800 (PST)
In-Reply-To: <CALaySJJ+2au5rxEQmSSpXO42KmgCu=NhiLPBCx-3AH0hud=5CQ@mail.gmail.com>
References: <CALaySJJ+2au5rxEQmSSpXO42KmgCu=NhiLPBCx-3AH0hud=5CQ@mail.gmail.com>
From: Michael D Adams <mike@automattic.com>
Date: Thu, 01 Dec 2011 17:38:46 -0800
X-Google-Sender-Auth: Zr9iURONISG1E47CG87fm_MKOm4
Message-ID: <CAH-8B6sjim_tcBkTPFWc1SnjhtHDQTR7sVT+aOjnYv7cs8JssA@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2011 01:39:09 -0000

I echo Justin Richer's comments.

On Thu, Nov 17, 2011 at 12:28 AM, Barry Leiba <barryleiba@computer.org> wrote:
> 1. Should we specify some token type as mandatory to implement?  Why
> or why not (*briefly*)?

No.  There's no mechanism in the spec for clients to request a
particular token type, so there's no opportunity for the authorization
server to decide what token type to send.  The only thing the
authorization server can do is pick its own preference.

If there's an MTI token type, and with the absence of a client
preference, the authorization server will have to pick the MTI token
type.

So an MTI token type + no client preference is equivalent to there
only existing one token type.

Mike

PS: I sent this 2011/11/17 but apparently hit reply instead of reply all.