Basic & other specs - token type

Issue #620 resolved
John Bradley created an issue

Basic states token type MUST be bearer. It has no check for that in the flow. It is implied in OAuth but could be unclear to some people.

The other issue is that we may be shooting ourselves in the foot with the MUST.

I think wording that Basic and implicit profile MUST implement Bearer and that the client MUST insure the token type in the response is one it supports. would be better.

For the server side the token type MUST be bearer unless some other token type has been negotiated with the client out of band.

That allows a future HoK token type extension without breaking the existing specs.

Comments (5)

  1. Michael Jones

    Saying that it must be Bearer is too restrictive. We need to allow another token type, such as holder-of-key, to be negotiated. The default will remain Bearer.

  2. Log in to comment