[Openid-specs-ab] [openid/connect] Basic & other specs - token type (issue #620)

John Bradley issues-reply at bitbucket.org
Sun Jul 15 00:48:03 UTC 2012


--- you can reply above this line ---

New issue 620: Basic & other specs - token type
https://bitbucket.org/openid/connect/issue/620/basic-other-specs-token-type

John Bradley:

Basic states token type MUST be bearer.
It has no check for that in the flow.
It is implied in OAuth but could be unclear to some people.

The other issue is that we may be shooting ourselves in the foot with the MUST.

I think wording that Basic and implicit profile MUST implement Bearer and that the client MUST insure the token type in the response is one it supports.  would be better.

For the server side the token type MUST be bearer unless some other token type has been negotiated with the client out of band.

That allows a future HoK token type extension without breaking the existing specs.



--

This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.


More information about the Openid-specs-ab mailing list