Re: [OAUTH-WG] Draft 20 last call comments

Justin Richer <> Thu, 18 August 2011 14:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6904A21F8B5D for <>; Thu, 18 Aug 2011 07:28:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.57
X-Spam-Status: No, score=-6.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fm0XofSOhJFn for <>; Thu, 18 Aug 2011 07:28:52 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CD2C421F8B5A for <>; Thu, 18 Aug 2011 07:28:51 -0700 (PDT)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id 59B8721B0B71; Thu, 18 Aug 2011 10:29:45 -0400 (EDT)
Received: from imchub1.MITRE.ORG ( []) by (Postfix) with ESMTP id 53B0521B0AC5; Thu, 18 Aug 2011 10:29:45 -0400 (EDT)
Received: from [] ( by imchub1.MITRE.ORG ( with Microsoft SMTP Server id; Thu, 18 Aug 2011 10:29:45 -0400
From: Justin Richer <>
To: "Lodderstedt, Torsten" <>
In-Reply-To: <>
References: <1313096811.22073.96.camel@ground> <90C41DD21FB7C64BB94121FBBC2E72345029DFA82D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <>
Content-Type: text/plain; charset="UTF-8"
Date: Thu, 18 Aug 2011 10:29:04 -0400
Message-ID: <1313677744.13419.119.camel@ground>
MIME-Version: 1.0
X-Mailer: Evolution 2.32.2
Content-Transfer-Encoding: 7bit
Cc: "Anganes, Amanda L" <>, "OAuth WG (" <>
Subject: Re: [OAUTH-WG] Draft 20 last call comments
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Aug 2011 14:28:52 -0000

> >> 1.3/1.4/1.5: Consider switching order to Authorization Grant, Access Token,
> >> Refresh Token
> >Not sure. What do others think? I put access token first because it is a more important term to get out of the >way.
> I would rather consider to change order to Access Token, Refresh Token, Authorization Grant since the first two are the core OAuth concepts developers must become familiar with. Authorization grants are "just" an mean to an end to get the token for certain client types. Moreover, I expect the number of authorization grants to increase over time.

You have to use *some* kind of authorization grant to get any kind of
token, and this part of the OAuth spec is all about "how to get a token
in a programmatic way". I agree that there will be many more types of
auth grants in the future, and that's why I think it should be the first
concept in the list.

I can see the logic of putting both token types first (though I still
prefer the auth grant first), but having the auth grant in between the
two token types is definitely a bad idea.

 -- Justin