New versions of all three OAuth related assertion documents have been published. New document titles, URLs and change logs are listed below. I've tried to address the comments and discuss issues from the IESG review as well as subsequent discussion and decisions that took place in Orlando. There have also been some comments and questions on the WG list, which I've attempted to address and clarify things where possible. Special thanks to Mike Jones for the editorial help with these.
Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants http://tools.ietf.org/html/draft-ietf-oauth-assertions-11 SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-16 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-05 draft-ietf-oauth-assertions-11 <http://tools.ietf.org/html/draft-ietf-oauth-assertions-11> o Addressed comments from IESG evaluation https:// <https://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ballot/> datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ballot/. o Reworded Interoperability Considerations to state what identifiers, keys, endpoints, etc. need to be exchanged/agreed upon. o Added brief description of assertion to the into and included a reference to Section 3 <http://tools.ietf.org/html/draft-ietf-oauth-assertions-11#section-3> (Framework) where it's described more. o Changed such that a self-issued assertion must (was should) have the client id as the issuer. o Changed "Specific Assertion Format and Processing Rules" to "Common Scenarios" and reworded to be more suggestive of common practices, rather than trying to be normative. Also removed lots of repetitive text in that section. o Refined language around audience, subject, client identifiers, etc. to hopefully be clearer and less redundant. o Changed title from "Assertion Framework for OAuth 2.0" to "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants" to be more explicit about the scope of the document per http://www.ietf.org/mail-archive/web/oauth/current/msg11063.html. o Noted that authentication of the client per Section 3.2.1 <http://tools.ietf.org/html/draft-ietf-oauth-assertions-11#section-3.2.1> of OAuth is optional for an access token request with an assertion as an authorization grant and removed client_id from the associated example. draft-ietf-oauth-saml2-bearer-16 <http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-16> o Changed title from "SAML 2.0 Bearer Assertion Profiles for OAuth 2.0" to "SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants" to be more explicit about the scope of the document per http://www.ietf.org/mail-archive/web/oauth/current/ <http://www.ietf.org/mail-archive/web/oauth/current/msg11063.html> msg11063.html <http://www.ietf.org/mail-archive/web/oauth/current/msg11063.html>. o Fixed typo in text identifying the presenter from "or similar element, the" to "or similar element in the". o Numbered the list of processing rules. o Smallish editorial cleanups to try and improve readability and comprehensibility. o Cleaner split out of the processing rules in cases where they differ for client authentication and authorization grants. o Clarified the parameters that are used/available for authorization grants. o Added Interoperability Considerations section and info reference to SAML Metadata. o Added more explanatory context to the example in Section 4 <http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-16#section-4>. draft-ietf-oauth-jwt-bearer-05 o Changed title from "JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0" to "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants" to be more explicit about the scope of the document per http://www.ietf.org/mail-archive/web <http://www.ietf.org/mail-archive/web/oauth/current/msg11063.html> /oauth/current/msg11063.html <http://www.ietf.org/mail-archive/web/oauth/current/msg11063.html>. o Numbered the list of processing rules. o Smallish editorial cleanups to try and improve readability and comprehensibility. o Cleaner split out of the processing rules in cases where they differ for client authentication and authorization grants. o Clarified the parameters that are used/available for authorization grants. o Added Interoperability Considerations section. o Added more explanatory context to the example in Section 4 <http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-05#section-4>.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
