Section 4 seems to inter-mixes obtaining authorization grant with obtaining tokens. Yes it is called "Request an Access Token". This seems particularly confusing after reading section 3 that separates requesting authorization from token end-points. My first reaction was, is there a section missing?
After I began reading section 4 it starts talking about obtaining authorization. Should section 4 be "protocol flow"? I think it can work with an intro explaining the protocol at a high level. E.g. 3 steps: 1. Obtain authorization from Authorization Endpoint 2. Obtain access token from Token Endpoint 3. Access resource Then for each flow pattern, show how steps 1, 2, and 3 are completed. For 2-legged cases, indicate how step 1 is completed implicitly (e.g. by policy, previous arrangement, or OOB). It might also be better if section 5 became a sub-section within 4.0. I see why it is separate, since the last step is always the same. But still it added to my initial confusion. The general impression I have is draft 12, is half way to a flow orientation as suggested by Eran. ps. I still remain neutral on structure (end-point vs. flow) as long as it is clear. Regards, Phil [email protected] _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
