Terminology correction: This discussion was actually about HTTP authentication
schemes (Bearer, MAC, etc.), not token types (JWT, SAML, etc.). I've changed
the subject line of the thread accordingly.
-- Mike
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Barry
Leiba
Sent: Thursday, November 17, 2011 12:29 AM
To: oauth WG
Subject: [OAUTH-WG] Mandatory-to-implement token type
Stephen, as AD, brought up the question of mandatory-to-implement token types,
in the IETF 82 meeting. There was some extended discussion on the point:
- Stephen is firm in his belief that it's necessary for interoperability. He
notes that mandatory to *implement* is not the same as mandatory to *use*.
- Several participants believe that without a mechanism for requesting or
negotiating a token type, there is no value in having any type be mandatory to
implement.
Stephen is happy to continue the discussion on the list, and make his point
clear. In any case, there was clear consensus in the room that we *should*
specify a mandatory-to-implement type, and that that type be bearer tokens.
This would be specified in the base document, and would make a normative
reference from the base doc to the bearer token doc.
We need to confirm that consensus on the mailing list, so this starts the
discussion. Let's work on resolving this over the next week or so, and moving
forward:
1. Should we specify some token type as mandatory to implement? Why or why not
(*briefly*)?
2. If we do specify one, which token type should it be?
Barry, as chair
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
