+1. And why it was not looked at that time? oauth-boun...@ietf.org 写于 2012-12-04 01:30:55:
> Actually, I think it is a good time to start looking at the resourse > owner issuing assertions@ (Interestingly enough, Hui-Lan had brought > this up a couple of years ago.) > > Igor > > On 12/3/2012 3:58 AM, Nat Sakimura wrote: > I suppose, yes. I was reading it like that all the time. > Whether it is or not, if it is still ok, it might be better to clarify it. > Word like "third party" tends to be a bit of problem without clearlydefining. > I had similar experience in other fora. > > Nat > > Sent from iPad > > 2012/12/03 0:52、"zhou.suj...@zte.com.cn" <zhou.suj...@zte.com.cn> の > メッセ�`ジ: > > could be Resource owner? > > > "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofe...@nsn.com> > 发件人: oauth-boun...@ietf.org > 2012-12-03 16:49 > > 收件人 > > "ext Nat Sakimura" <sakim...@gmail.com>, "Brian Campbell" < > bcampb...@pingidentity.com>, "oauth" <oauth@ietf.org> > > 抄送 > > 主题 > > Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be > either the client or a third party token service? > > > > > Hi Nat, > > The current text essentially says that the assertion can either be > created by the client (in which case it is self-signed) or it can be > created by some other entity (which is then called the third party > token service). So, this third party could be the authorization server. > > Ciao > Hannes > > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > ext Nat Sakimura > Sent: Monday, December 03, 2012 10:35 AM > To: Brian Campbell; oauth > Subject: [OAUTH-WG] Assertion Framework - Why does issuer have to be > either the client or a third party token service? > > Hi Brian, > > > The assertion framework defines the Issuer as: > > Issuer The unique identifier for the entity that issued the > assertion. Generally this is the entity that holds the key > material used to generate the assertion. The issuer may be either > an OAuth client (when assertions are self-issued) or a third party > token service. > > I was wondering why it has to be either the client or a third party > token service. > Conceptually, it could be any token service (functionality) residingin any of > > the stakeholders (Resource Owner, OAuth Client, Authorization Server, or > a third party). > > > I would appreciate if you could clarify why is the case. > > > Best, > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
