On Mon, 10 Feb 2025 at 17:39, Stephen Paul Weber <[email protected]> wrote: > >The authcid is how we convey the authenticating username. > > Yes I understand that's what currently is placed there. I'm proposing that > for FAST we put a token id there, which will of course convey the account in > question to the server as well (since a token is only valid for a single > account).
The server would need to know that FAST is being used in order to know it's not a username, but my understanding is that a reason for proposing this is to remove the explicit indication to the server that this is a FAST authentication. Right? > >1) The type of credential being used (password, FAST token, bearer token, > >etc.) > >2) In some cases, some identifier of the credential being used (when > >the same user has multiple credentials of the same type, common with > >tokens) > > I think these are basically the same thing. We need to know what credential > is being used. If we have an identifier then we will also know the type of > that credential based on the id. Well, passwords don't have such identifiers, only the username. It feels somewhat hacky to override the meaning of authcid in this way. I'd perhaps be okay with defining the authcid as a credential id, except that it currently is not, and I definitely don't like the idea of it sometimes containing a username and sometimes something else. That's just asking for mix-ups, with potentially bad consequences. Regards, Matthew _______________________________________________ Standards mailing list -- [email protected] To unsubscribe send an email to [email protected]
