draft-ietf-oauth-status-list offers 2 formats or status list tokens: JWT (JSON Web Token) and CWT (CBOR Web Token). But only provides 1 “uri” field. That’s annoying; not developer-friendly; and unnecessary.
I suggest defining 2 fields: “jwt_uri” and “cwt_uri”. At least one must be present. 1 URI can “work” theoretically, but only if all clients and all servers always use the Accept HTTP request header to do content-negotiation. That complicates all parties. It means you can’t just paste the URI into a browser. You can’t use the simplest HTTP GET method that every programming language offers. Caching … who knows. Perhaps the worst part is that 1 URI will mostly work even for clients that use a simple get(uri) method and don’t bother about the Accept header. The URI in a JWT will return a JWT (the URI in a CWT will return a CWT). The client will assume the result is what they expect. Then some issuers will require content-negotiation; some clients will break; those clients will be “at fault”, but issuer may need to hack their content-negotiation for interoperability. Better to offer 2 explicit fields for 2 explicit formats. — James Manger General
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
