I echo Dick's sentiment, mildly -1 to splitting acquiring and using a token. It may not confuse people actively engaged in the WG but what about everyone else?
Also, as Torsten and I look at security considerations, I wonder if there are some examples that link the threat model for acquiring a token and using a token. So: 1) Will the decisions a service provider make when granting a token depend on, or affect, the use case for using that token? 2) Will the use case, grant type or other flow parameters a client selects for acquiring a token, depend on how they will use that token? I don't have concrete examples to back this up but possibilities include: automatic granting of access token, refresh tokens, non-secure channels, ?? Regards Mark McGloin Dick Hardt wrote on 29/09/2010 01:08 > I am mildly concerned that breaking the spec into multiple parts makes it harder for the spec reader to understand what is going on. Where does a complete example of > getting and using a token? Imagine how confusing HTTP would be if the request and response were in separate specs. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
