On Thu, Aug 12, 2010 at 11:19 AM, Chuck Mortimore <cmortim...@salesforce.com> wrote: > I think it would be reasonable to loosen the language to reflect that the > subject is who access will be granted to. It may or may not be the > resource owner, I agree.
Any thoughts on what that would look like in the spec? Something like "The assertion MUST contain a <Subject> element. The <Subject> MAY identify the resource owner for whom the access token is being requested."? Or just drop the language about resource owner all together? Or something else? What about the two bullets on AuthnStatement? o If the assertion issuer authenticated the subject, the assertion SHOULD contain a single <AuthnStatement> representing that authentication event. o If the assertion was issued with the intention that the client act autonomously on behalf of the subject, an <AuthnStatement> SHOULD NOT be included. They kind of, but not completely, imply/assume some explicit relationship between the subject and resource owner. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth