I am not objecting that RS should define it's requirements... and RS should be able to do it by each resource... So ideally RS may have away to express that in a WADL and we need to have a standard mechanism established for communication between RS and AS.
In WS-Trust - SP can declare it's token requirements via WS-SecurityPolicy, in WSDL. And client reads the WSDL and identify the token requirements. Then based on those requirements, client talks to the STS and gets the token. Thanks & regards, -Prabath On Mon, Jan 21, 2013 at 1:07 PM, <zhou.suj...@zte.com.cn> wrote: > > Prabath Siriwardena <prab...@wso2.com> 写于 2013-01-21 15:27:57: > > > > I guess that is a pattern used many scenarios. Requesting client can > > suggest - but its up to the AS to honor it or not... > > > Not exactly. For example, RS supports two token types, one is bear token, > another is holer-of-key which is assumed more secure than the first one. > RS realy wants the seconde type, but (a dishonest) client, always choosing > the weakest, requests the first one. > what is the meaning for client to specify the token type? > > > > > Thanks & regards, > > -prabath > > > On Mon, Jan 21, 2013 at 12:43 PM, <zhou.suj...@zte.com.cn> wrote: > > > > William Mills <wmills_92...@yahoo.com> 写于 2013-01-21 13:44:45: > > > > > > > Not a problem for the client to request a type, but it may not get it. > > > > I don't object client requesting a type, but I think it is > > meaningful only when the requested type is specified by a RS, > > and client just relay that request to AS. > > > > > > > > From: "zhou.suj...@zte.com.cn" <zhou.suj...@zte.com.cn> > > > To: Prabath Siriwardena <prab...@wso2.com> > > > Cc: "oauth@ietf.org WG" <oauth@ietf.org>; William Mills > > > <wmills_92...@yahoo.com> > > > Sent: Sunday, January 20, 2013 9:38 PM > > > Subject: Re: Re: Re: [OAUTH-WG] Client cannot specify the token > > type it needs > > > > > > > > > Well, if RS could specify token type, then Client could transfer it to > AS, > > > I think, but it is not a good idea for client itself to specify the > > > token type. > > > > > > > > > Prabath Siriwardena <prab...@wso2.com> 写于 2013-01-21 13:29:05: > > > > > > > Think about a distributed setup. You have single Authorization > > > > Server and multiple Resource Servers. > > > > > > > > Although OAuth nicely decouples AS from RS - AFAIK there is no > > > > standard established for communication betweens AS and RS - how to > > > > declare metadata between those. > > > > > > > > Also there can be Resource Servers which support multiple token > > > > types. It could vary on APIs hosted in a given RS. > > > > > > > > Thanks & regards, > > > > -Prabath > > > > > > > > On Mon, Jan 21, 2013 at 10:48 AM, <zhou.suj...@zte.com.cn> wrote: > > > > > > > > The token type shoulbe decided by resource server, which consumes > > > > access token. > > > > Client just re-tell the requested token type to AS. > > > > Client should not specify the token type. > > > > > > > > > > > > oauth-boun...@ietf.org 写于 2013-01-21 13:08:39: > > > > > > > > > > > > > This is true. It's possible for the AS to vary it's behavior on > > > > > scope name, but it's presumed the AS and RS have an agreement of > > > > > what token type is in play. Likely a good extension to the spec. > > > > > > > > > > > > > > From: Prabath Siriwardena <prab...@wso2.com> > > > > > To: "oauth@ietf.org WG" <oauth@ietf.org> > > > > > Sent: Sunday, January 20, 2013 7:28 PM > > > > > Subject: [OAUTH-WG] Client cannot specify the token type it needs > > > > > > > > > > > > > > Although token type is extensible according to the OAuth core > > > > > specification - it is fully governed by the Authorization Server. > > > > > > > > > > There can be a case where a single AS supports multiple token > types > > > > > based on client request. > > > > > > > > > > But currently we don't have a way the client can specify (or at > > > > > least suggest) which token type it needs in the OAuth access > > > tokenrequest ? > > > > > > > > > > Is this behavior intentional ? or am I missing something... > > > > > > > > > > Thanks & Regards, > > > > > Prabath > > > > > > > > > > Mobile : +94 71 809 6732 > > > > > > > > > > http://blog.facilelogin.com > > > > > http://RampartFAQ.com > > > > > > > > > > _______________________________________________ > > > > > OAuth mailing list > > > > > OAuth@ietf.org > > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > > _______________________________________________ > > > > > OAuth mailing list > > > > > OAuth@ietf.org > > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > > > > > > > -- > > > > Thanks & Regards, > > > > Prabath > > > > > > > > Mobile : +94 71 809 6732 > > > > > > > > http://blog.facilelogin.com > > > > http://RampartFAQ.com > > > > > > > > > > -- > > Thanks & Regards, > > Prabath > > > > Mobile : +94 71 809 6732 > > > > http://blog.facilelogin.com > > http://RampartFAQ.com > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
