<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Yes I think it is a restricted form of access token. The main difference is that you can require a shared secret to be sent with code, where there seems to be no oAuth 2.0 way to do the same with an access token.<div><br></div><div>I think that is something that should be rationalized in oAuth 2.0.</div><div><br></div><div>John B.<br><div><div>On 2011-01-07, at 4:50 AM, Nat Sakimura wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">In fact, the difference between code and access_token seems to be as follows: <div><br></div><div>code: </div><div> applicable endpoint: One Predefined Endpoint Only (token endpoint) </div><div> cardinality of the use: Only Once. </div>
<div>access_token: </div><div> applicable endpoint: Potentially Many Endpoints</div><div> cardinality of the use: Many. </div><div><br></div><div>So, "code" in fact is a restricted form of access_token. </div>
<div><br></div><div>=nat<br><br><div class="gmail_quote">On Thu, Jan 6, 2011 at 4:55 PM, hideki nara <span dir="ltr"><<a href="mailto:hdknr@ic-tact.co.jp">hdknr@ic-tact.co.jp</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
access_token is enough.<br>
If the other token format than JWT can be allowed, we need some way<br>
to negotiate.<br>
<br>
"code" looks like an artifact. But if tokens are forced to be in<br>
self-describing forms, "code" seems to be ok.<br>
---<br>
hdknr<br>
<br>
2011/1/6 Breno de Medeiros <<a href="mailto:breno@google.com">breno@google.com</a>>:<br>
<div><div></div><div class="h5">> +1<br>
> Everything about the response content should be signed. It just makes things<br>
> simpler to process.<br>
><br>
> On Wed, Jan 5, 2011 at 02:40, Nat Sakimura <<a href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>> wrote:<br>
>><br>
>> Hi.<br>
>> The current <a href="http://openidconnect.com/" target="_blank">openidconnect.com</a> page has a variable "signed" in the<br>
>> response.<br>
>> It is a new variable which is not present in the current OAuth draft.<br>
>> The "signed" includes access_token and user_id among other things. It<br>
>> probably should be a JWT.<br>
>> Should we continue to use "signed" or other variable name?<br>
>> The reason why I am asking this are:<br>
>> 1. It looks a lot like a structured "code" or "access_token". Perhaps<br>
>> should we call it "access_token" (or "code") instead?<br>
>> 2. If we are to introduce a new variable, "signed" seem to be a little too<br>
>> generic. Is there a better name for it? (Perhaps "openid"?)<br>
>><br>
>> --<br>
>> Nat Sakimura (=nat)<br>
>> <a href="http://www.sakimura.org/en/" target="_blank">http://www.sakimura.org/en/</a><br>
>> <a href="http://twitter.com/_nat_en" target="_blank">http://twitter.com/_nat_en</a><br>
>><br>
>> _______________________________________________<br>
>> Openid-specs-ab mailing list<br>
>> <a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
>><br>
><br>
><br>
><br>
> --<br>
> --Breno<br>
><br>
> _______________________________________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
><br>
><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en">http://twitter.com/_nat_en</a><br>
</div>
_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-specs-ab<br></blockquote></div><br></div></body></html>