Hi Justin,
the new revision seems to catch the state of discussion and is
consistent. Thank's for bringing this topic forward.
On your editor's not in section 4.2.: In my opinion, the 404 due to a
none-existing resource should precede the 403. I would suggest to point
out your thoughts on
Hi Sergey,
Am 14.02.2013 11:32, schrieb Sergey Beryozkin:
- an attempt to revoke an invalid token is now handled like a successful
revocation request (status code 200)
Does it create some precedent, meaning that while people suggest using
4xx statuses to indicate different sort of failures in
Hi,
On 16/02/13 17:57, William Mills wrote:
The reason to support 1.0a tokens in 2 is simply to provide a migration
path when a site has 1.0a endpoint it wants to support.
I really like the idea of having a migration path, which is very
important to have, but IMHO this approach won't work.
Hi all,
The OAuth assertion document has received DISCUSSes as you can
see from the data tracker at [1]. I've been chatting with
the chairs and the ADs with those DISCUSSes in the last few
days.
The main concern is that these documents do not sufficiently
specify the functionality that is
In some off-list mail between Mike and I, he said:
Was TCP a bad idea because it didn't have MTI port numbers? Would
it have improved TCP to add an MTI port or two?
To which I responded:
Ports are MTI for TCP. [1] They are 16 bit values
with a well-defined test for equality and a little
I largely agree with Mike, that assertions are going to be used in a number of
places that have different naming conventions.
Is what Barry looking for a specific profile for how it would be used with the
token endpoint to authenticate a OAuth confidential client to a token endpoint
in the
OK, I have some time to respond to this on a real computer.
Let's look at the general mechanism that oauth provides, using one use case:
A client asks an authorization server for authorization to do something.
The authorization server responds with an authorization token, which
the client is
