+1 to David. If it’s a redirect, 307 is more appropriate. It’s up to the AS to decide if the client should do MTLS or not, if there’s an option.
— Justin On Feb 4, 2019, at 12:17 PM, David Waite <[email protected]<mailto:[email protected]>> wrote: My understanding is that a permanent redirect would be telling the client (and any other clients getting cached results from an intermediary) to now stop using the original endpoint in perpetuity for all cases. I don’t think that is appropriate (in the general case) for an endpoint with request processing business logic behind it, since that logic may change over time. -DW On Feb 4, 2019, at 6:28 AM, Brian Campbell <[email protected]<mailto:[email protected]>> wrote: Yeah, probably. On Sat, Feb 2, 2019 at 12:39 AM Neil Madden <[email protected]<mailto:[email protected]>> wrote: If we go down the 307 route, shouldn’t it rather be a 308 (permanent) redirect? It seems unnecessary for the client to keep trying the original endpoint or have to remember cache-control/expires timeouts. — Neil _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
