I don't think they do line up, at least not they way I read text from http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html and http://msdn.microsoft.com/en-us/library and /ee748487.aspx <http://msdn.microsoft.com/en-us/library/ee748487.aspx> and *http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 <http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00>*
Indecently, Bradely was the guy that suggested to me that the definitions are reversed so I'm guessing he reads it the same way. But Tony and Mike are authors of the two specs respectively in question so, if they say that the definitions are aligned, they must be right. As Phil said, there is a lot of historical confusion about the terms and I think this conversation only underscores that confusion. A clean break with new terms might be the way to go. On Thu, Jul 3, 2014 at 1:51 PM, Phil Hunt <phil.h...@oracle.com> wrote: > I suspect it lines up. But Brian’s point may still be relevant. There is > *long* standing confusion of the terms (because many of have different > english interpretation than WS-Trust). Might be time for new terms? > > Impersonate (or even personate) vs. delegate ? > > Those terms differentiate between impersonating a whole person vs. having > delegate or scoped authority to act for someone. > > Sorry if this is an old discussion. > > Phil > > @independentid > www.independentid.com > phil.h...@oracle.com > > > > On Jul 3, 2014, at 12:20 PM, Mike Jones <michael.jo...@microsoft.com> > wrote: > > I’m lost too, as when I wrote this, I explicitly modelled it after > WS-Trust. If there’s a concrete discrepancy you can point out, that would > be great. > > > > FYI, I do plan to refresh this draft too allow for a more flexible trust > model shortly. > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-boun...@ietf.org <oauth-boun...@ietf.org>] *On > Behalf Of *Anthony Nadalin > *Sent:* Thursday, July 03, 2014 12:04 PM > *To:* Brian Campbell > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00 > > > > I’m lost, the terms defined in the oauth token-exchange draft are the same > terms defined in ws-trust and have the same definitions > > > > *From:* Brian Campbell [mailto:bcampb...@pingidentity.com > <bcampb...@pingidentity.com>] > *Sent:* Thursday, July 3, 2014 12:02 PM > *To:* Anthony Nadalin > *Cc:* Vladimir Dzhuvinov; oauth@ietf.org > *Subject:* Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00 > > > > And I was suggesting that OAuth token exchange align with the WS-Trust > definitions or maybe even define totally new terms. But not use the same > terms to mean different things. > > > > On Thu, Jul 3, 2014 at 12:55 PM, Anthony Nadalin <tony...@microsoft.com> > wrote: > > The explanation of on-behalf-Of and ActAs are correct in the document as > defined by WS-Trust, this may not be your desire or understanding but that > is how WS-Trust implementations should work > > > > *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Brian > Campbell > *Sent:* Thursday, July 3, 2014 11:44 AM > *To:* Vladimir Dzhuvinov > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00 > > > > FWIW, I am very interested in the general concept of a lightweight or > OAuth based token exchange mechanism. However, despite some distaste for > the protocol, our existing WS-Trust functionality has proven to be "good > enough" for most use-cases, which seems to prevent work on token exchange > from getting any real priority. > > I have a few thoughts on > http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 which I've > been meaning to write down but haven't yet, so this seems like as good a > time as any. > > I would really like to see a simpler request model that doesn't require > the request to be JWT encoded. > > The draft mentions the potential confusion around On-Behalf-Of vs. > Impersonation Semantics. And it is confusing (to me anyway). In fact, the > use of Act-As and On-Behalf-Of seem to be reversed from how they are > defined in WS-Trust > <http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html> (this MS > FAQ <http://msdn.microsoft.com/en-us/library/ee748487.aspx> has less > confusing wording). They should probably be aligned with that prior work to > avoid further confusion. Or maybe making a clean break and introducing new > terms would be better. > > I don't think the security_token_request grant type value is strictly > legal per RFC 6749. The ABNF at > http://tools.ietf.org/html/rfc6749#appendix-A.10 would allow it but > according to http://tools.ietf.org/html/rfc6749#section-4.5 extension > grants need an absolute URI as the grant type value (there's no grant type > registry so the URI is the only means of preventing collision). > > > > > > > > > > > On Fri, Jun 27, 2014 at 6:07 AM, Vladimir Dzhuvinov < > vladi...@connect2id.com> wrote: > > Has anyone implemented the OAuth 2.0 Token exchange draft, in particular > the on-behalf-of semantics? We've got a use case for that and I'm > curious if someone has used it in practice. > > http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 > > Thanks, > > Vladimir > -- > Vladimir Dzhuvinov <vladi...@connect2id.com> > Connect2id Ltd. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
