I agree with mike that any additional guidance on when you'd want to use an assertion for client authentication vs. when you would want to use one for an authorization grant would belong in the generic assertions specification draft-ietf-oauth-assertions.
I'm struggling with what guidance to give about it, however. Maybe I'm just too close to things but it seems almost definitional - one is for client auth and the other is an authz grant. Radia (or really anyone), is there some specific text you can propose? On Mon, Oct 6, 2014 at 1:54 AM, Mike Jones <michael.jo...@microsoft.com> wrote: > Thanks for your review, Radia. I've added the working group to the thread > so that they're aware of your comments. > > > From: Radia Perlman [mailto:radiaperl...@gmail.com] > > Some background guidance on when you would want to use a token for > client authentication vs. when you would want to use one for an > authorization grant would be useful. In practice, the distinction between > the two is subtle. It is common for a token to contain the caller’s > identity as well as group memberships and perhaps roles. I suspect the > reality is that the client has to figure out which protocol slot the server > wants to get the token in and provide it there, where service designers > make the decision more or less arbitrarily. > > This guidance really belongs in the generic assertions specification > draft-ietf-oauth-assertions. I'll plan on reviewing that spec with the > other editors and the working group to see whether the guidance provided > there needs to be improved. > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth