Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D2B1B3A6928 for ; Fri, 25 Jun 2010 11:18:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.226 X-Spam-Level: X-Spam-Status: No, score=-2.226 tagged_above=-999 required=5 tests=[AWL=0.373, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CqGGZkXBs+WF for ; Fri, 25 Jun 2010 11:18:26 -0700 (PDT) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id E79433A68BD for ; Fri, 25 Jun 2010 11:18:25 -0700 (PDT) Received: (qmail 1770 invoked from network); 25 Jun 2010 18:18:34 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 25 Jun 2010 18:18:34 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Fri, 25 Jun 2010 11:18:29 -0700 From: Eran Hammer-Lahav To: Dick Hardt Date: Fri, 25 Jun 2010 11:18:12 -0700 Thread-Topic: [OAUTH-WG] Extensibility for OAuth? Thread-Index: AcsUkgtMuUUiIQrkTlOdovjsi2b5cwAAFinw Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343B3EC84999@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <3D3C75174CB95F42AD6BCC56E5555B4502BE07CC@FIESEXC015.nsn-intra.net> <90C41DD21FB7C64BB94121FBBC2E72343B3EC84973@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: OAuth, "Tschofenig, Hannes \(NSN - FI/Espoo\)" , WG Subject: Re: [OAUTH-WG] Extensibility for OAuth? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jun 2010 18:18:26 -0000 I think the two endpoints are currently well defined. For example, the toke= n endpoint always takes an access grant and turns it into an access token w= ith optional refresh token. To "extend" it to say, register new clients dyn= amically, is a bad thing. But adding a new parameter (such as language) is = a good thing to support, and by requiring review, only parameters that don'= t change the overall design will be approved. EHL > -----Original Message----- > From: Dick Hardt [mailto:dick.hardt@gmail.com] > Sent: Friday, June 25, 2010 11:13 AM > To: Eran Hammer-Lahav > Cc: Tschofenig, Hannes (NSN - FI/Espoo); OAuth WG > Subject: Re: [OAUTH-WG] Extensibility for OAuth? >=20 > Would you elaborate on your reasons here? Do you think we have > enumerated all the possibilities? >=20 > On 2010-06-25, at 10:59 AM, Eran Hammer-Lahav wrote: >=20 > > I would rather limit the ability to extend the two endpoints beyond the= ir > current architecture, and instead, allow others to specify new endpoints = (e.g. > a device endpoint for getting an authorization code without using browser > redirection) that work in addition to the token endpoint (using an existi= ng > grant type or assertion).