In from James Phillpotts: In FedAuthz Sec 5.1, given we just talk about RPTs and PATs, should we specify that the token_type_hint (if used) should be set to access_token?
I commented: Since both PATs and RPTs are already formally defined, and function, as OAuth access tokens, I wonder if it's necessary to spell this requirement out. (The protection API is just about introspecting the RPT.)
James replied: Only in that in UMA 1.0 the token type hint was not access_token.
Justin weighed in: This is a good point, might as well spell it out.
In from James Phillpotts: In FedAuthz Sec 5.1, given we just talk about RPTs and PATs, should we specify that the token_type_hint (if used) should be set to access_token?
ref: https://tools.ietf.org/html/rfc7662#section-2.1 and https://tools.ietf.org/html/rfc7009#section-4.1.2.2
I commented: Since both PATs and RPTs are already formally defined, and function, as OAuth access tokens, I wonder if it's necessary to spell this requirement out. (The protection API is just about introspecting the RPT.)
James replied: Only in that in UMA 1.0 the token type hint was not access_token.
Justin weighed in: This is a good point, might as well spell it out.