Hi all, This is a follow-up on the presentations last Monday (oauth) & Thursday (wimse) on Delegated Authorization (https://datatracker.ietf.org/doc/draft-li-oauth-delegated-authorization/, slides at https://datatracker.ietf.org/meeting/124/materials/slides-124-oauth-sessa-delegated-authorization-00). Thanks to all who provided valuable feedback!
We have created a GitHub repo for the draft at https://github.com/liuchunchi/li-oauth-delegated-authorization. Below are some clarifications on how this draft differs from other delegation solutions. This draft vs token exchange and its derivatives (Transaction Tokens, Identity Chaining, Identity Assertion, ...): * Both can support: o downscoping o txn binding o reducing lifespan / single-use * Advantages of this draft: o It enables local downscoping at the client or middle parties along the call chain -> can be useful for large scale delegation / constrained environments. o The delegator can obtain the delegatee's public key and bind it to the sub-token (dt/dat) before sending it to the delegatee, to prevent unauthorized use of the sub-token if leaked. ? (side note: perhaps this can be applied to token exchange as well in a separate draft?) o Delegation can happen outside the trust boundary of the target resource (compared to txn tokens), no federation needed (compared to identity chaining). * Limitations: o It does not allow adding additional asserted values in the new token Another alternative is passing access/refresh token around, which has similar properties as above. Look forward to comments and collaborations! Best Regards, Ruochen
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
