Tom, I think this is interesting and important work as it could help more directly bridge the gap between Kerberos deployments (more common in enterprise/LAN environments) and the OAuth/web/mobile world.
When you get down to it, there are really two things going on here: mapping Kerberos ticket claims to JWT claims (and vice versa), and the act of actually translating a ticket into an OAuth token. Perhaps these should be separated more cleanly? I can very easily picture a service that takes in Kerberos tickets and spits out unstructured tokens (or at least tokens without the same claims baked in). This could be specified as an extension of the OAuth Assertions framework, mirroring the JWT and SAML assertions, and could pretty easily be picked up as a WG document if people wanted it. In addition to that (but ultimately separate from it, whether it’s in the same document or not), a mechanism for expressing the set of information that’s inside of the Kerberos ticket using the JOSE family of specs still makes sense to have. Much of what’s in JWT’s claim set was influenced by SAML and (to a lesser extent) X.509, so it seems useful to have a similar Kerberos-to-JWT translation process, especially since Kerberos has a few fields that aren’t covered by the current JWT claim set and could be found useful by applications. Better to line up with an existing protocol in this case, in my opinion. — Justin On Nov 30, 2014, at 9:01 PM, Tom Yu <t...@mit.edu> wrote: > Added more technical details and examples. > > <New Version Notification for > draft-yu-oauth-token-translation-01_txt.eml>_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
