[Openid-specs-ab] Comment on Messages
Andreas Åkre Solberg
andreas.solberg at uninett.no
Tue Sep 6 18:04:52 UTC 2011
On 3. sep.2011, at 06:34, Nat Sakimura wrote:
> While I sympathise with the need for flexibility, for the interoperability, profiling narrowly would be a good thing.
Interoperability is super important, but it does not need to be in conflict with interoperability.
I'm in favor of spec-ing things like this:
Both Provider and RP MUST support Bearer Tokens. Both MAY support additional typen_types. A Provider MUST never issue other token types than "Bearer", unless the Provider has knowledge of which token_types the RP supports (using out of band negotiation, in example metadata).
> As to the criticism [1], I would not actually care. It is just the matter of using signed and possibly encrypted JWT as access_token if you wanted more security.
What do you mean? Do you mean that the RP will create the JWT, or that the bearer token received by the RP is a JWT generated by the OP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110906/c1292ce9/attachment.html>
More information about the Openid-specs-ab
mailing list