James, this is a very good question particularly since we have a working group item in progress that provides security properties beyond bearer tokens.
Ciao Hannes From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of ext Manger, James H Sent: Thursday, June 06, 2013 7:06 AM To: oauth@ietf.org Subject: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens BEARER tokens dominate OAuth 2 deployments today, but OAuth 2 is deliberately extensible to support other sorts of credentials (eg MAC authentication). Why is draft-ietf-oauth-dyn-reg hardwired to only support BEARER tokens? 1.3. “Registration Tokens and Credentials” says: “The Initial Access Token … is an OAuth 2.0 Bearer Token” “The Registration Access Token … is an OAuth 2.0 Bearer Token” Google’s TLS ChannelIDs [draft-balfanz-tls-channelid], for instance, would be a fantastic fit for linking the first registration request with any subsequent registration modifications. The Registration Access Token would be annoying legacy baggage in that situation. It seems that the Registration Access Token is only ever used at a single URI: registration_client_uri. That sounds like the perfect situation to use a “capability URI”, effectively putting the token in the URI. Anyone considered doing that? It should significantly simplify the spec. -- James Manger
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth