> > It seems like the scope of your criticism has more to do with RFC 6749 & > RFC 6750 overall, than the assertions drafts themselves. >
No, and I'm sorry if it came across that way. I mentioned the token-type issue only by way of background. As it happens, I do think it was a mistake to publish the oauth framework spec without a mechanism for discovery/negotiation/communication of token types, but I'm not holding that against this document at all. > In OpenID Connect we implemented a discovery and registration layer for > clients to discover what the Authorization server supports. > Great! I think that each use of the protocol shouldn't have to roll this on its own, but it's good that OIDC did it. > To acceve real interoperability these things need to be profiled or you > need a negotiation mechanism. > We do agree on that; cool. > Are you saying that Assertions needs a low level mechanism to negotiate > capabilities? > Many will argue that specs at a higher level like like Dynamic Client > Registration https://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/are > better places to address these capability negotiations because as you > point out there is more to be negotiated than just assertions. > I would be happy to have it done that way, but then I think that needs to happen first, and this needs to refer to that (normatively) as the (or a) mechanism that helps this interoperate. > It has been stated by one of the WG chairs that some of us are anti > interoperability, so some of us may be a touch sensitive, around this, as > it is not the case. > Yeh, we very much need to keep that kind of rhetoric and questioning of motives out of the discussion. You won't hear it from me, certainly. Quite the opposite: I'm quite confident that we all share the goal of developing good specs from which interoperable implementations can be built. It's not a question of anti-anything, but of disagreement about how to accomplish that. Barry
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
