The explanation of on-behalf-Of and ActAs are correct in the document as defined by WS-Trust, this may not be your desire or understanding but that is how WS-Trust implementations should work
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Thursday, July 3, 2014 11:44 AM To: Vladimir Dzhuvinov Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00 FWIW, I am very interested in the general concept of a lightweight or OAuth based token exchange mechanism. However, despite some distaste for the protocol, our existing WS-Trust functionality has proven to be "good enough" for most use-cases, which seems to prevent work on token exchange from getting any real priority. I have a few thoughts on http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 which I've been meaning to write down but haven't yet, so this seems like as good a time as any. I would really like to see a simpler request model that doesn't require the request to be JWT encoded. The draft mentions the potential confusion around On-Behalf-Of vs. Impersonation Semantics. And it is confusing (to me anyway). In fact, the use of Act-As and On-Behalf-Of seem to be reversed from how they are defined in WS-Trust<http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html> (this MS FAQ<http://msdn.microsoft.com/en-us/library/ee748487.aspx> has less confusing wording). They should probably be aligned with that prior work to avoid further confusion. Or maybe making a clean break and introducing new terms would be better. I don't think the security_token_request grant type value is strictly legal per RFC 6749. The ABNF at http://tools.ietf.org/html/rfc6749#appendix-A.10 would allow it but according to http://tools.ietf.org/html/rfc6749#section-4.5 extension grants need an absolute URI as the grant type value (there's no grant type registry so the URI is the only means of preventing collision). On Fri, Jun 27, 2014 at 6:07 AM, Vladimir Dzhuvinov <vladi...@connect2id.com<mailto:vladi...@connect2id.com>> wrote: Has anyone implemented the OAuth 2.0 Token exchange draft, in particular the on-behalf-of semantics? We've got a use case for that and I'm curious if someone has used it in practice. http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 Thanks, Vladimir -- Vladimir Dzhuvinov <vladi...@connect2id.com<mailto:vladi...@connect2id.com>> Connect2id Ltd. _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth