Support of different types of tokens is not clear #11
Comments
|
I think the particular type or semantics of those tokens don't need to be relevant to dbsc. We could clarify that this should not be confused with authorization tokens in eg OAuth2 - the only meaning of the authorization parameter is that the browser will set it as an Authorization: Bearer ... header on the registration call to the endpoint. The motivation for this was twofold:
But if a website wants to use other tokens (including bespoke non-standard ones), as long as they accept them in the Authorization header, they should be able to just do so. |
|
Updated the explainer with Arnar's explanation here: d23e52d |
|
In OAuth RFC there is a term "authorization code" but there is no term "authorization token". Hence, I would remove:
I would change this one:
I would remove refresh token, as it may be an arguable statement (depends upon background):
My version:
|
alextok
changed the title
|
Updated here: 6b39658 |
|
I added the value back as the authorization header in 00141ce, as this is the main point that can help integrate with existing infra. I agree it should be included in the JWT as well though for integrity, hence it appears in both places now. I also changed some of the language to clarify. Please reopen this issue if you have comments on that change. |
We need to define how different type of credentials will be delivered to the servers. The current spec defines "authorization" as , but what should we send if it is an "id_token", or "access token", or custom token. What is a plan to support other credential types?
Plan A:
"authorization" : <authorization_code | id_token | access_token|custom_token >
Plan B:
"authorization" : <authorization_code>
"id_token": <id_token>
"access_token": <access_token>
"custom_token": <custom_token >
The text was updated successfully, but these errors were encountered: