On Sat, Jul 6, 2019 at 2:42 PM Benjamin Kaduk <ka...@mit.edu> wrote: > > > Not to my recollection. I'm honestly not even sure what an array would > mean > > for "may_act". Do you mean for "act"? > > Currently we can say that ad...@example.com "may act" as u...@example.com.. > But IIUC we don't have a way to say that either adm...@example.com or > adm...@example.com may do so. An array would let us indicate multiple > authorized parties. I'm reluctant to actually make such a change at this > point, though, since this is already deployed some places, right? >
Okay, sorry, I'm a bit slow but I follow you now. Indeed this has been deployed in a number of places already. I'd honestly don't know if anyone is making use of this particular claim but changing from an object to array of objects would be a breaking change. And a breaking change is something I'd really like to avoid unless there's a very compelling reason to do so. And while your point here is taken, I don't think it rises to that level of compelling. I see two options at this point: 1) leave it as is 2) adjust the language around "may_act" such that it could also identify an eligible group - this would allow for it to indicate multiple authorized parties but just not by one by one name, which is maybe more desirable anyway What do you think? -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth