I suspect it lines up. But Brian’s point may still be relevant. There is *long* standing confusion of the terms (because many of have different english interpretation than WS-Trust). Might be time for new terms?
Impersonate (or even personate) vs. delegate ? Those terms differentiate between impersonating a whole person vs. having delegate or scoped authority to act for someone. Sorry if this is an old discussion. Phil @independentid www.independentid.com phil.h...@oracle.com On Jul 3, 2014, at 12:20 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > I’m lost too, as when I wrote this, I explicitly modelled it after WS-Trust. > If there’s a concrete discrepancy you can point out, that would be great. > > FYI, I do plan to refresh this draft too allow for a more flexible trust > model shortly. > > -- Mike > > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Anthony Nadalin > Sent: Thursday, July 03, 2014 12:04 PM > To: Brian Campbell > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00 > > I’m lost, the terms defined in the oauth token-exchange draft are the same > terms defined in ws-trust and have the same definitions > > From: Brian Campbell [mailto:bcampb...@pingidentity.com] > Sent: Thursday, July 3, 2014 12:02 PM > To: Anthony Nadalin > Cc: Vladimir Dzhuvinov; oauth@ietf.org > Subject: Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00 > > And I was suggesting that OAuth token exchange align with the WS-Trust > definitions or maybe even define totally new terms. But not use the same > terms to mean different things. > > > On Thu, Jul 3, 2014 at 12:55 PM, Anthony Nadalin <tony...@microsoft.com> > wrote: > The explanation of on-behalf-Of and ActAs are correct in the document as > defined by WS-Trust, this may not be your desire or understanding but that is > how WS-Trust implementations should work > > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell > Sent: Thursday, July 3, 2014 11:44 AM > To: Vladimir Dzhuvinov > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00 > > FWIW, I am very interested in the general concept of a lightweight or OAuth > based token exchange mechanism. However, despite some distaste for the > protocol, our existing WS-Trust functionality has proven to be "good enough" > for most use-cases, which seems to prevent work on token exchange from > getting any real priority. > > I have a few thoughts on > http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 which I've > been meaning to write down but haven't yet, so this seems like as good a time > as any. > > I would really like to see a simpler request model that doesn't require the > request to be JWT encoded. > > The draft mentions the potential confusion around On-Behalf-Of vs. > Impersonation Semantics. And it is confusing (to me anyway). In fact, the use > of Act-As and On-Behalf-Of seem to be reversed from how they are defined in > WS-Trust (this MS FAQ has less confusing wording). They should probably be > aligned with that prior work to avoid further confusion. Or maybe making a > clean break and introducing new terms would be better. > > I don't think the security_token_request grant type value is strictly legal > per RFC 6749. The ABNF at http://tools.ietf.org/html/rfc6749#appendix-A.10 > would allow it but according to > http://tools.ietf.org/html/rfc6749#section-4.5 extension grants need an > absolute URI as the grant type value (there's no grant type registry so the > URI is the only means of preventing collision). > > > > > > > > > > On Fri, Jun 27, 2014 at 6:07 AM, Vladimir Dzhuvinov <vladi...@connect2id.com> > wrote: > Has anyone implemented the OAuth 2.0 Token exchange draft, in particular > the on-behalf-of semantics? We've got a use case for that and I'm > curious if someone has used it in practice. > > http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 > > Thanks, > > Vladimir > -- > Vladimir Dzhuvinov <vladi...@connect2id.com> > Connect2id Ltd. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth