I am very much in favor of the WG pursuing the general concept of an OAuth
Token Exchange. However, I don't believe this document, in its current
form anyway, is the necessarily the most appropriate starting point as a WG
work item.
I wrote up an I-D, which I'd ask to be considered as
Thanks for doing that.
I think that this is clearer and extends Mike's draft to be more specific about
input and output token types.
It is going to be hard for people to get their heads around this without
at-least having some example use-cases and example token input and outputs.
In
Absolutely agree that some examples are needed. There's a [[ TODO ]] in
there for it. I just hadn't gotten to it yet and wanted to get the I-D up
before the Aug 10 date that Hannes put out there. The example you outlined
is a good start, I think.
Yes, code and refresh tokens would/could be valid
First, I’ll say that I appreciate Brian also working on this topic. This is
important for many multi-actor use cases and it would be good for OAuth to
develop a standard in this area. I also agree with the discussion on the list
that having some use case descriptions and concrete examples
OK so act_as if not sent is implicitly the requestor perhaps authenticated by
the endpoint in the normal OAuth way.
If the if the requestor is acting like a proxy as in the Token Agent case the
act_as would indicate the identity of the client making the request to the
Token Agent so that the