Closed EdwardHinkle closed 6 years ago
This is an interesting readability vs technicality thing. I agree that switching to Authentication there makes the table of contents easier. But technically speaking, section 5.4 Authorization Code Verification is about verifying a thing called an authorization code. It isn’t that it is part of the an authorization flow, it just happens to be called that way.
I'm in favor of changing the headers to "Authentication Request" etc. OpenID Connect is different OAuth 2.0 extension that also provides an identity layer on top of OAuth 2.0, and they also use "authentication" in their headings http://openid.net/specs/openid-connect-core-1_0.html
Ohhh, I do see what @Zegnat is saying. 5.4 is trickier than 5.2 and 5.3. In looking at OpenID I don't see anything like 5.4, because the code itself IS actually called "Authorization Code" whereas 5.2 and 5.3 make sense as Authentication Request/Response.
Ultimately use your best judgement, but I can see the case for altering 5.2 and 5.3 but leaving 5.4. Also with 5.2 and 5.3 altered I think that helps clarify 5.4.
Yep, it's definitely the "Authorization Code", and it would not be appropriate to rename that. But the 5.2 and 5.3 headers can say "Authorization Request" since it's not talking about the code in that case.
The subheadings of Section 5 Authentication are:
When someone is skimming the specs to find the right section, this can be very confusing if they are actually looking for the implementation details for the "Authorization" flow. I ended up in Authentication when I was looking for Authorization and the only thing that clued me in was my familiarity to IndieAuth. When I saw
response_type=id
, I thought something strange was going on.I think it brings more clarity and helps distinguish from Section 6: Authorization to rename sections 5.2, 5.3 and 5.4 to the following: