On Tue, Mar 23, 2010 at 12:05 PM, Chuck Mortimore <cmortim...@salesforce.com> wrote: > No worries - I figured it would be easier to push for it's inclusion if the > work were minimal.
Yeah, definitely! > We will definitely need to implement this style of profile, as will many > others, so it's essential it ends in some spec. Personally I'd rather see > a relatively thin spec that includes the critical profiles, rather than core > + profile + bindings + etc like SAML. However I'm open to any approach > that get's the profile included. I'd like to pull the username/password and SAML flows into their own documents. I don't think that we want to propagate the usage of the password anti-pattern and while I'm hearing clearly that the SAML flow is needed, I don't think it will be used by the majority of deployers. We should develop both of these flows at the same time as the core spec so that they all go together. > I'd be happy to be listed as an author, but it's more important that > whomever authored the original assertion profile get listed/credit. Not > sure if that was Dick or one of the other authors...perhaps they can chime > in. Sure. I'd rather make sure everyone gets credit and then we can work out what the spec says at the end. OAuth 1.0 lists almost twenty contributors. I tried to be extremely humble in my acknowledgments section especially given that I hadn't spoken to every WRAP author. > This (early) draft was written pretty quickly and is heavily based on > The OAuth 1.0 Protocol [draft-hammer-oauth-10], OAuth WRAP > [draft-hardt-oauth-01] and further discussion on the IETF OAuth > Working Group mailing list. Those authors and editors include Allen > Tom (Yahoo!), Brian Eaton (Google), Dick Hardt, Eran Hammer-Lahav > (Yahoo!) and Yaron Goland (Microsoft). --David > > -cmort > > > > On 3/23/10 10:47 AM, "David Recordon" <record...@gmail.com> wrote: > > Hey Chuck, > Thanks for rewriting the SAML flow into the style of my draft! I > really appreciate it. > > I originally dropped the SAML flow because I hadn't seen support for > it on the mailing list(s) the past two months. I think that our > default should be making the spec as short and simple as possible so > removed a few things from WRAP in order to start conversations like > this one. It's now clear that Google, Microsoft, Salesforce, and IBM > all need the SAML profile. Chuck, I'll merge your wording in. Want > to be listed as an author? > > We're also going to need to figure out which flows should be in the > core spec versus which should be developed at the same time but in > individual documents. > > Thanks, > --David > > On Tue, Mar 23, 2010 at 4:50 AM, Torsten Lodderstedt > <tors...@lodderstedt.net> wrote: >> +1 for assertion support >> >> what about enhancing the flow #2.4 to accept any kind of user credentials >> (username/password, SAML assertions, other authz servers tokens) >> >> regards, >> Torsten. >> >> Am 23.03.2010 um 12:42 schrieb Mark Mcgloin <mark.mcgl...@ie.ibm.com>: >> >>> +1 for assertion profile. Was there any reason why it was dropped? >>> >>> On 3/23/10, Chuck Mortimore wrote: >>>> >>>> Just getting a chance to review this - I apologize for not getting this >>> >>> before the meeting started. >>> >>>> We'd like to see some form of an Assertion Profile, similar to section >>>> 5.2 >>> >>> from draft-hardt-oauth-01. We have strong customer use-cases for an >>> assertion based flow, specifically SAML bearer tokens, and I >believe >>> Microsoft may have already shipped a minor variation on this ( wrap_SAML >>> ) >>> in Azure. >>> >>> >>> Mark McGloin >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
