[Openid-specs-ab] Review Comments on Multiple Response Types

Mike Jones Michael.Jones at microsoft.com
Tue Dec 17 23:34:08 UTC 2013


These review comments have been applied at http://openid.bitbucket.org/.  Thanks, as always!  The example you suggested is now live at http://openid.bitbucket.org/oauth-v2-multiple-response-types-1_0.html#FragmentExample.

4.  I think Google uses "none" to probe whether an Authorization is still valid in contexts where they're not interested in an updated access token.  It's not used by OpenID Connect.

				-- Mike

-----Original Message-----
From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net] 
Sent: Wednesday, November 06, 2013 5:49 PM
To: Openid-specs Ab; Mike Jones
Subject: Review Comments on Multiple Response Types

Hi Mike,

here are my review comments on Multiple Response Types.

regards,
Torsten.

2.1.

"For purposes of this specification, the default Response Mode for the OAuth 2.0 code response_type is the query encoding. For purposes of this specification, the default Response Mode for the OAuth 2.0 token response_type is the fragment encoding." - I would suggest to format code, token, query and fragment as key words (instead of response_type), this will aid the reader to map the corresponding concepts.

4. None Response Type

What is this response type used for?

5.

Example: I think it would make sense to show fragment encoding of a hybrid response type including “code”, e.g. "code id_token" in order to show the expected default encoding behavior if any fragment encoded artifact is present (as described in this section).




More information about the Openid-specs-ab mailing list