Imposing order and exact string matching on response_type's while
simultaneously supporting a special character '+' and introducing the
concept of composite response_type is a poor compromise, IMNSHO. What
is the rationale to fear allowing multiple-valued response_type as we
have for other parameters in the spec?

On Mon, Jul 11, 2011 at 18:51, Eran Hammer-Lahav <[email protected]> wrote:
> As for the plus encoding we can choose another char or give an example.
>
> On Jul 11, 2011, at 18:07, "Marius Scurtescu" <[email protected]> wrote:
>
>> If I read section 8.4 correctly it seems that new response types can
>> be defined but composite values must be registered explicitly.
>>
>> I don't think this approach scales too well. OpenID Connect for
>> example is adding a new response type: id_token.
>>
>> id_token can be combined with either code or token and potentially
>> with both of them, the following combinations must be registered as a
>> result:
>> code+id_token
>> token+id_token
>> code+token+id_token
>>
>> and this assumes that code+token is already registered.
>>
>> I think it makes more sense to define response_type as a space
>> separated list of items, where each item can be individually
>> registered. I do realize that this complicates things quite a bit (not
>> we have to define and deal with both composite response_type and the
>> individual items).
>>
>> As a side note, using + as separator could cause lots of problems. If
>> people naively type "code+toke" it will be decoded as "code token". No
>> one will remember the hex code for +.
>>
>> Marius
>> _______________________________________________
>> OAuth mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/oauth
>



-- 
--Breno
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to