[Openid-specs-ab] Is it SHOULD or MUST?

Brian Campbell bcampbell at pingidentity.com
Tue Jun 4 14:28:35 UTC 2013


One way or the other it should match up to OAuth 2.0 Multiple Response Type
Encoding Practices so as not to have inconsistencies in the spec suite.

It's maybe better to not have a MUST or SHOULD here at all.


On Sat, Jun 1, 2013 at 7:09 PM, Nat Sakimura <sakimura at gmail.com> wrote:

> In the 2nd paragraph of
> 2.2.6.1.  End-User Grants Authorization
> of Standard, it states:
>
> Note that if the response_type parameter in the Authorization Request
> includes the string value token or id_token, all response parameters
> SHOULD be added to the fragment component of the redirection URI.
> Otherwise, the response parameters are added to the query component of the
> redirection URI.
>
> Is it SHOULD? Is it not MUST?
> SHOULD means that it can be sent otherwise, e.g., as query string.
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130604/93c28ff8/attachment.html>


More information about the Openid-specs-ab mailing list