Draft -11 of "SAML 2.0 Bearer Assertion Profiles for OAuth 2.0" and draft -02 of "OAuth 2.0 Assertion Profile" have been published. The changes address comments raised during WGLC on the two documents that ended earlier this week. A summary of changes is included (with links to the comment in the mail archive when appropriate) in the document history section of each draft. A copy of the relevant portion of the history is also copied to the bottom of this message for convenience. I'd like to specifically thank Mike Jones for his assistance in getting these updates posted quickly.
The drafts are available at: http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-11 http://tools.ietf.org/html/draft-ietf-oauth-assertions-02 draft-ietf-oauth-saml2-bearer-11 o Removed text about limited lifetime access tokens and the SHOULD NOT on issuing refresh tokens. The text was moved to draft-ietf-oauth-assertions-02 and somewhat modified per http://www.ietf.org/mail-archive/web/oauth/current/msg08298.html. o Fixed typo/missing word per http://www.ietf.org/mail-archive/web/oauth/current/msg08733.html. o Added Terminology section. draft-ietf-oauth-assertions-02 o Added text about limited lifetime ATs and RTs per http://www.ietf.org/mail-archive/web/oauth/current/msg08298.html. o Changed the line breaks in some examples to avoid awkward rendering to text format. Also removed encoded '=' padding from a few examples because both known derivative specs, SAML and JWT, omit the padding char in serialization/encoding. o Remove section 7 on error responses and move that (somewhat modified) content into subsections of section 4 broken up by authn/authz per http://www.ietf.org/mail-archive/web/oauth/current/msg08735.html. o Rework the text about "MUST validate ... in order to establish a mapping between ..." per http://www.ietf.org/mail-archive/web/oauth/current/msg08872.html and http://www.ietf.org/mail-archive/web/oauth/current/msg08749.html. o Change "The Principal MUST identify an authorized accessor. If the assertion is self-issued, the Principal SHOULD be the client_id" in 6.1 per http://www.ietf.org/mail-archive/web/oauth/current/msg08873.html. o Update reference in 4.1 to point to 2.3 (rather than 3.2) of oauth-v2 (rather than self) http://www.ietf.org/mail-archive/web/oauth/current/msg08874.html. o Move the "Section 3 of" out of the xref to hopefully fix the link in 4.1 and remove the client_id bullet from 4.2 per http://www.ietf.org/mail-archive/web/oauth/current/msg08875.html. o Add ref to Section 3.3 of oauth-v2 for scope definition and remove some then redundant text per http://www.ietf.org/mail-archive/web/oauth/current/msg08890.html. o Change "The following format and processing rules SHOULD be applied" to "The following format and processing rules apply" in sections 6.x to remove conflicting normative qualification of other normative statements per http://www.ietf.org/mail-archive/web/oauth/current/msg08892.html. o Add text the client_id must id the client to 4.1 and remove similar text from other places per http://www.ietf.org/mail-archive/web/oauth/current/msg08893.html. o Remove the MUST from the text prior to the HTTP parameter definitions per http://www.ietf.org/mail-archive/web/oauth/current/msg08920.html. o Updated examples to use grant_type and client_assertion_type values from the OAuth SAML Assertion Profiles spec. -- Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth