Open Stack

> I agree the token round-trip may not be the best for mobile apps,
> but they can at least be cached.

This is exactly what I'm doing for our iOS app :)  It still would be better if I didn't have to do it at all, though.  Even

> We're also getting something else
> with a token server though: service discovery (via service URL headers
> returned with token). This can be important for auto-configuring apps
> since you can simply enter a auth URL and the app will find out which
> services to expose and what the URLs for each service are.

This is true.  An endpoint list is certainly necessary, but it would be great if I only needed to call that one time instead of every time an auth token expires.