So far response type values are just strings one need to compare
literally. What use case justifies the more complex proposal?
regards,
Torsten.
Am 15.07.2011 19:44, schrieb Eran Hammer-Lahav:
I was only arguing against the proposed text which doesn't accomplish
what you want from a normative perspective. I can easily address the
use case with very short prose but I would like to see more working
group discussion about it first.
Seems like WG members representing three large OAuth implementations
(Facebook, Google, Microsoft) are very supportive. Does anyone objects
to making the change to allow space-delimited values in the
response_type parameter? Once we get consensus on that, I can proceed
to offer a proposal. The main difficulty is how to deal with errors.
EHL
*From:*Mike Jones [mailto:michael.jo...@microsoft.com]
*Sent:* Friday, July 15, 2011 10:16 AM
*To:* Eran Hammer-Lahav; oauth@ietf.org
*Subject:* RE: Issue 18: defining new response types
Yes, that's the intent of the change
*From:*Eran Hammer-Lahav [mailto:e...@hueniverse.com]
<mailto:[mailto:e...@hueniverse.com]>
*Sent:* Friday, July 15, 2011 10:14 AM
*To:* Mike Jones; oauth@ietf.org <mailto:oauth@ietf.org>
*Subject:* RE: Issue 18: defining new response types
You can't have it both way. Either it is a simple string comparison or
it requires parsing of the string. The current prose is designed to
offer a visual cue without making any code changes to how response
types are compared. To allow different orders, we have to turn the
value to a parsed list.
EHL
*From:*oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org>
[mailto:oauth-boun...@ietf.org]
<mailto:[mailto:oauth-boun...@ietf.org]> *On Behalf Of *Mike Jones
*Sent:* Friday, July 15, 2011 10:02 AM
*To:* oauth@ietf.org <mailto:oauth@ietf.org>
*Subject:* [OAUTH-WG] Issue 18: defining new response types
I agree that this functionality is needed. However, I believe its
current embodiment is overly restrictive. I would suggest changing
this text:
Only one response type of each combination may be registered and used
for making requests. Composite response types are treated and compared
in the same as manner as non-composite response types. The "+"
notation is meant only to improve human readability and is not used
for machine parsing.
For example, an extension can define and register the
token+coderesponse type. However, once registered, the same
combination cannot be registered as code+token, or used to make an
authorization request.
to this:
The order of the composite response type values is not significant.
For instance, the composite response types token+codeand code+tokenare
equivalent. Each composite response type value MUST occur only once.
Thanks,
-- Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth