I would like to make this change in -11: Instead of the current user of the 'assertion' grant type -
POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=assertion& assertion_type=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion& assertion=PHNhbWxwOl[...omitted for brevity...]ZT4%3D Drop the 'assertion' grant type and put the assertion type directly in the grant_type parameter: POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion& assertion=PHNhbWxwOl[...omitted for brevity...]ZT4%3D In other words, the grant_type parameter value will be defined as: - authorization_code - password - client_credentials - refresh_token - an abolute URI (extensions) I considered turning all the values into URIs but found it to be counter-intuitive. The practice of using "official" short names and extension URIs is well established and is already the general architecture used here. This just makes it cleaner. I ran this idea by Brian Campbell and Chuck Mortimore who are generally supportive of the idea. Any objections? EHL
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
