Hiya, In section 1:
The STS protocol defined in this specification is not itself RESTful (an STS doesn't lend itself particularly well to a REST approach) but does utilize communication patterns and data formats that should be familiar to developers accustomed to working with RESTful systems. A colleague expressed concern that token exchange can not be RESTful. Given that the token exchange endpoint defined here is the same as the token endpoint, is this a restatement that this endpoint itself is not RESTful as opposed to a different change. AFAICT, none of the other OAuth RFCs mention RESTful concerns. In Section 2.1: Regarding exchanging an access token for an id token, OIDC allows the caller to provide a claims parameter to specify the specific claims returned in an id token. See https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter I'm not sure that this spec explicitly constrains parameters to be passed to this method, but it also doesn't have any language to suggest that it will allow extended parameter lists to be passed and interpreted by the auth server. -- Josh McKinney joshka.net _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth