I echo Justin Richer's comments. On Thu, Nov 17, 2011 at 12:28 AM, Barry Leiba <barryle...@computer.org> wrote: > 1. Should we specify some token type as mandatory to implement? Why > or why not (*briefly*)?
No. There's no mechanism in the spec for clients to request a particular token type, so there's no opportunity for the authorization server to decide what token type to send. The only thing the authorization server can do is pick its own preference. If there's an MTI token type, and with the absence of a client preference, the authorization server will have to pick the MTI token type. So an MTI token type + no client preference is equivalent to there only existing one token type. Mike PS: I sent this 2011/11/17 but apparently hit reply instead of reply all. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
