Imposing order and exact string matching on response_type's while simultaneously supporting a special character '+' and introducing the concept of composite response_type is a poor compromise, IMNSHO. What is the rationale to fear allowing multiple-valued response_type as we have for other parameters in the spec?
On Mon, Jul 11, 2011 at 18:51, Eran Hammer-Lahav <[email protected]> wrote: > As for the plus encoding we can choose another char or give an example. > > On Jul 11, 2011, at 18:07, "Marius Scurtescu" <[email protected]> wrote: > >> If I read section 8.4 correctly it seems that new response types can >> be defined but composite values must be registered explicitly. >> >> I don't think this approach scales too well. OpenID Connect for >> example is adding a new response type: id_token. >> >> id_token can be combined with either code or token and potentially >> with both of them, the following combinations must be registered as a >> result: >> code+id_token >> token+id_token >> code+token+id_token >> >> and this assumes that code+token is already registered. >> >> I think it makes more sense to define response_type as a space >> separated list of items, where each item can be individually >> registered. I do realize that this complicates things quite a bit (not >> we have to define and deal with both composite response_type and the >> individual items). >> >> As a side note, using + as separator could cause lots of problems. If >> people naively type "code+toke" it will be decoded as "code token". No >> one will remember the hex code for +. >> >> Marius >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > -- --Breno _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
