On Tue, Jul 03, 2018 at 08:10:52PM +0000, Mike Jones wrote: > > I believe that the ACE "profile" parameter is typically unnecessary and > not in the spirit of normal OAuth. Configuration information between > OAuth participants is typically configured out of band and/or retrieved > from the AS Discovery document (per the newly minted RFC > 8414<https://tools.ietf.org/html/rfc8414>). There's no need to > dynamically exchange a profile identifier when this is essentially always > known in advance. We should not include "profile". For that matter, ACE
For what it's worth, this part of "the spirit of normal OAuth" is something that leaves me with lingering unease. While I do not dispute that this sort of configuration information is usually known out of band or via discovery, we ought to be considering the potential consequences when the parties do not actually agree on what configuration should be in use. An explicit indicator makes for an easy-to-analyze "fail quickly" scenario, whereas leaving things implicit is much harder to reason about. And yes, this case of easier analysis is at the cost of complexity elsewhere, so there is a tradeoff. -Ben _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
