You are a bit behind. -08 added it back as grant_type which works better with the current explanation.
EHL From: Dick Hardt [mailto:dick.ha...@gmail.com] Sent: Tuesday, June 22, 2010 1:29 PM To: Brian Eaton Cc: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org) Subject: Re: [OAUTH-WG] Draft -07 (major rewrite) Per an earlier comment, "type" might not be the best name for the parameter. Perhaps "method" might work and adds a clear extension point for other types of calls? On Tue, Jun 22, 2010 at 1:22 PM, Dick Hardt <dick.ha...@gmail.com<mailto:dick.ha...@gmail.com>> wrote: One of the modifications I concluded to do to WRAP was to add in the type parameter. I was happy to see if in David's draft. Even though redundant in some ways, it make it very clear to both the client and server what is intended. +1 for putting it back in. On Mon, Jun 14, 2010 at 11:23 AM, Brian Eaton <bea...@google.com<mailto:bea...@google.com>> wrote: On Mon, Jun 14, 2010 at 9:18 AM, Eran Hammer-Lahav <e...@hueniverse.com<mailto:e...@hueniverse.com>> wrote: > Adding a verification code to the user-agent flow was suggested on this list > and received nothing but support. It was suggested as a solution to a > Twitter use case. Once that is added in, the two flows only differ in how > the response is delivered and the presence of an access token in the > response (which currently is a MUST NOT for web-server but I don't know if > this restriction is need). Yeah, this matters. If you return an access token on the web-server flow, several things break: - you can no longer rely on the client secret to authenticate the callback URL. - you lose all hope of getting to LOA 2 with this protocol, because the access token is visible to the client. - you lose the clarity of how the web server flow is supposed to work. Bike-shed painting: The use-cases for web server and user-agent flow are also different. I'd prefer to have the spec call out different profiles for different use-cases, because it makes it much easier to figure out what a given application should be doing. During the WRAP work I argued that we didn't need a type parameter, and after looking at WRAP implementations I've changed my mind. Please leave it in. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
