Hello ACE,
Jim Schaad has brought up an interesting question [1] on
draft-ietf-ace-oauth-authz [2]:
Currently when a client makes an unauthorized request to a resource
server, it gets back the address of the authorization server and
optionally a nonce (to prevent replay attacks).
Jim is su
Hello Ludwig,
This is UMA. The ticket is a way for RS to register client’s request with
AS, giving it the ability to communicate other scopes etc related to
request.
Client presents the ticket to AS to obtain an access token. (So ticket is
not an access token).
I brought UMA ticket up to respond
Hello,
To bring a different view, I wanted to mention Kantara UMA (User Managed
Access) approach to this problem. (I participated in the UMA v2.0
development this year, so had the chance to be more familiar with the new
drafts.)
In UMA, the resource server must respond to a client's tokenless
(u
Phone: (412) 268-5851
http://www.sei.cmu.edu/staff/glewis
From: Ace on behalf of Cigdem Sengul
Date: Wednesday, October 25, 2017 at 10:27 AM
To: Ludwig Seitz
Cc: "ace@ietf.org"
Subject: Re: [Ace] Question about the response to an unauthorized request
Hello,
To bring a differe
about the response to an unauthorized request
Hello,
To bring a different view, I wanted to mention Kantara UMA (User Managed
Access) approach to this problem. (I participated in the UMA v2.0 development
this year, so had the chance to be more familiar with the new drafts.)
In UMA, the
, October 25, 2017 8:26 AM
To: Cigdem Sengul ; Ludwig Seitz
Cc: ace@ietf.org
Subject: Re: [Ace] Question about the response to an unauthorized request
Ludwig,
I do believe that this would reveal too much information to an attacker,
especially if IoT devices are being deployed in “hostile
l
> *Sent:* Wednesday, October 25, 2017 7:28 AM
> *To:* Ludwig Seitz >
> *Cc:* ace@ietf.org
> *Subject:* Re: [Ace] Question about the response to an unauthorized
> request
>
>
>
> Hello,
>
>
>
> To bring a different view, I wanted to mention Kantara UM
[mailto:cigdem.sen...@gmail.com]
Sent: Wednesday, October 25, 2017 2:19 PM
To: Jim Schaad
Cc: Ludwig Seitz ; ace@ietf.org
Subject: Re: [Ace] Question about the response to an unauthorized request
UMA assumes that resource server knows “which authorization server to approach
for the
ss access request?
>
>
>
>
>
>
>
> *From:* Ace [mailto:ace-boun...@ietf.org] *On Behalf Of *Cigdem Sengul
> *Sent:* Wednesday, October 25, 2017 7:28 AM
> *To:* Ludwig Seitz
> *Cc:* ace@ietf.org
> *Subject:* Re: [Ace] Question about the response to an unauthorize
On 2017-11-05 18:37, Cigdem Sengul wrote:
In the case of rogue requestor being the client, it does not have
visibility into what is included in the permission ticket ( ticket is a
reference returned by rs to be presented at as). It may dos Rs with
requests, which rs may implement a solution lik
10 matches
Mail list logo
