Open Sakurann opened 1 month ago
I think the rationale (for me anyway) is that the goal is any existing OAuth authorization request can be made via the new endpoint (just like we didn't create a new grant_type for PAR). I'm not sure what the AS would do different for the request over a standard auth code flow? The goal is to return a code the client can use to request tokens as it normally does. This also keeps the models similar if the AS requires the user to go through a web flow.
it honestly feels like a huge stretch to use authorization grant type for what is defined in this specification, given that:
a new endpoint
agree that there is probably no need for the new grant types per different authentication factors, but if you are defining a new parameter
authorization_code
, it is probably more honest and cleaner to define a new grant type to get an access token based on this new artifact from an authorization challenge endpoint. Security properties for the authorization code from a usual authorization endpoint and this new authorization challenge endpoint is also probably different, no? (I think I am slightly contradicting a comment in another issue #102, but a new grant type really feels better.)