[Native SSO] /token endpoint

[bitbucket-import-issues]

Originally submitted by Takahiko Kawasaki (Takahiko Kawasaki) on 2025-04-24

In OpenID Connect Native SSO for Mobile Apps 1.0 draft 07, there are five instances where a slash is prefixed to “token endpoint”, resulting in “/token endpoint”. What is the reason for adding the slash? Unless the slash has a special meaning within the specification, it should be removed.

‌

1. Section 2. Abstract Flow, the 2nd last paragraph: “Step [9] invokes the /token endpoint with the token exchange profile …”
2. Section 3.2. Device Secret, the 2nd paragraph: “… the /token endpoint to exchange code for tokens.”
3. Section 3.2. Device Secret, the 2nd paragraph: “… The client SHOULD provide the device_secret to the /token endpoint during …”
4. Section 3.3. Token Request, the 2nd paragraph: “… the /token endpoint for the authorization_code and refresh_token grant types:”
5. Section 4.2. Token Exchange Request, the 1st paragraph: “… it makes a standard OAuth2 /token endpoint …”

‌

‌

---

Bitbucket status: new

Bitbucket origin: issue 2177

[bitbucket-import-issues]

Originally submitted by gffletch (gffletch) on 2026-02-05

I’m fine removing it. “/token” is the way I think to designate it’s an endpoint. But I agree it’s not necessary.