[Openid-specs-ab] Comment on Messages
Andreas Åkre Solberg
andreas.solberg at uninett.no
Fri Sep 2 12:18:44 UTC 2011
In the Messages document:
> This specification further constrains that only Bearer Tokens [OAuth.2.0.Bearer] are issued at the Token endpoint. The OAuth 2.0 response parameter "token_type" MUST be set to "Bearer".
>
First, I would say that even if I think it is OK to use bearer tokens, I would strongly advise to not restrict the types of tokens to this particular type for all future use. Bearer is criticized a lot [1].
Second, if you restrict the type of token to bearer, you can save the effort of defining the JWT token type in the 'Standards' document.
[1]: http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-the-web/
Also, the example in sect 6.1 uses access_token, while I think it should be bearer_token.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110902/61421a40/attachment.html>
More information about the Openid-specs-ab
mailing list