Hi Nat,
The current text essentially says that the assertion can either be created by the client (in which case it is self-signed) or it can be created by some other entity (which is then called the third party token service). So, this third party could be the authorization server. Ciao Hannes From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of ext Nat Sakimura Sent: Monday, December 03, 2012 10:35 AM To: Brian Campbell; oauth Subject: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the client or a third party token service? Hi Brian, The assertion framework defines the Issuer as: Issuer The unique identifier for the entity that issued the assertion. Generally this is the entity that holds the key material used to generate the assertion. The issuer may be either an OAuth client (when assertions are self-issued) or a third party token service. I was wondering why it has to be either the client or a third party token service. Conceptually, it could be any token service (functionality) residing in any of the stakeholders (Resource Owner, OAuth Client, Authorization Server, or a third party). I would appreciate if you could clarify why is the case. Best, -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
