And I was suggesting that OAuth token exchange align with the WS-Trust definitions or maybe even define totally new terms. But not use the same terms to mean different things.
On Thu, Jul 3, 2014 at 12:55 PM, Anthony Nadalin <tony...@microsoft.com> wrote: > The explanation of on-behalf-Of and ActAs are correct in the document as > defined by WS-Trust, this may not be your desire or understanding but that > is how WS-Trust implementations should work > > > > *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Brian > Campbell > *Sent:* Thursday, July 3, 2014 11:44 AM > *To:* Vladimir Dzhuvinov > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00 > > > > FWIW, I am very interested in the general concept of a lightweight or > OAuth based token exchange mechanism. However, despite some distaste for > the protocol, our existing WS-Trust functionality has proven to be "good > enough" for most use-cases, which seems to prevent work on token exchange > from getting any real priority. > > I have a few thoughts on > http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 which I've > been meaning to write down but haven't yet, so this seems like as good a > time as any. > > I would really like to see a simpler request model that doesn't require > the request to be JWT encoded. > > The draft mentions the potential confusion around On-Behalf-Of vs. > Impersonation Semantics. And it is confusing (to me anyway). In fact, the > use of Act-As and On-Behalf-Of seem to be reversed from how they are > defined in WS-Trust > <http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html> (this MS > FAQ <http://msdn.microsoft.com/en-us/library/ee748487.aspx> has less > confusing wording). They should probably be aligned with that prior work to > avoid further confusion. Or maybe making a clean break and introducing new > terms would be better. > > I don't think the security_token_request grant type value is strictly > legal per RFC 6749. The ABNF at > http://tools.ietf.org/html/rfc6749#appendix-A.10 would allow it but > according to http://tools.ietf.org/html/rfc6749#section-4.5 extension > grants need an absolute URI as the grant type value (there's no grant type > registry so the URI is the only means of preventing collision). > > > > > > > > > > > On Fri, Jun 27, 2014 at 6:07 AM, Vladimir Dzhuvinov < > vladi...@connect2id.com> wrote: > > Has anyone implemented the OAuth 2.0 Token exchange draft, in particular > the on-behalf-of semantics? We've got a use case for that and I'm > curious if someone has used it in practice. > > http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 > > Thanks, > > Vladimir > -- > Vladimir Dzhuvinov <vladi...@connect2id.com> > Connect2id Ltd. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
