Hi,
I have been looking into this draft, which is very well written, and I would
like a clarification regarding the workflow in figure 1 of the draft.
This workflow is a bit different to the typical one I imagine for constrained
clients/servers. Such devices would typically be provisioned from some kind of
a commissioning tool and the tool would also initiate the provisioning process.
Therefore, would it not be better to have a protocol flow that is not
necessarily initiated by the client device? I show two options below. In Option
1, the Resource Owner would be a commissioning tool and in Option 2, the
Authorization server would be the commissioning tool. In the protocol flow in
your draft, I will need a proprietary method to generate the token request
message from client to AS.
OPTION 1:
+--------+ +---------------+
| | | Resource |
| | | Owner |
| |<-(A)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(B)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(C)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(D)----- Access Token ------>| Resource |
| | | Server |
| |<-(E)--- Protected Resource ---| |
+--------+ +---------------+
OPTION 2:
+--------+ +---------------+
| | | |
| | | Authorization |
| |<--(A)-- Access Token ---------| Server |
| | + Client Information | |
| | +---------------+
| | ^ |
| | Introspection Request (C)| |
| Client | | |
| | Response + Client Token | |(D)
| | | v
| | +--------------+
| |---(B)-- Token + Request ----->| |
| | | Resource |
| |<--(E)-- Protected Resource ---| Server |
| | | |
+--------+ +--------------+
________________________________________________________ The contents of this
e-mail and any attachments are confidential to the intended recipient. They may
not be disclosed to or used by or copied in any way by anyone other than the
intended recipient. If this e-mail is received in error, please immediately
notify the sender and delete the e-mail and attached documents. Please note
that neither the sender nor the sender's company accept any responsibility for
viruses and it is your responsibility to scan or otherwise check this e-mail
and any attachments.
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
