Since both PATs and RPTs are already formally defined, and function, as OAuth access tokens, I wonder if it's necessary to spell this requirement out. (The protection API is just about introspecting the RPT.) Eve Maler (sent from my iPad) | cell +1 425 345 6756
On Jul 10, 2017, at 6:44 AM, James Phillpotts <james.phillpotts@forgerock.com> wrote:
Hi all,
In https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.h... given we just talk about RPTs and PATs, should we specify that the token_type_hint (if used) should be set to access_token?
ref: https://tools.ietf.org/html/rfc7662#section-2.1 and https://tools.ietf.org/html/rfc7009#section-4.1.2.2
Cheers James _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma