Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the client or a third party token service?

Why RO as an issuer is only theoretical today? Brian Campbell 2012-12-04 23:41 收件人 Nat Sakimura 抄送 zhou.suj...@zte.com.cn, "oauth@ietf.org" 主题 Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the client or a third party token service? The intent was definitely n

[OAUTH-WG] Redirection flows, pre-authorized tokens and client-requested scopes

We are working with one of our users on the support for pre-authorized tokens which can be checked by AS at the initial end user redirection to this AS before requesting the end-user authorization. My assumption is that if the pre-authorized token exists then the client provided scope, if any,

Re: [OAUTH-WG] New Version Notification for draft-richer-oauth-introspection-00.txt

You're right that UMA bundles several things in the protection API (covered by the protection scope, whose keyword is actually the resolvable URI "http://docs.kantarainitiative.org/uma/scopes/prot.json";). One of those things is the use of the token status endpoint; the rest is the whole mechani

Re: [OAUTH-WG] New Version Notification for draft-richer-oauth-introspection-00.txt

Hi Justin-- Glad to see this moving forward. This draft seems pretty straightforward, and I imagine the UMA core spec could probably incorporate a reference out to this rather than continuing to use our custom-specified method for what we'd called "token status". I wanted to highlight a couple o

Re: [OAUTH-WG] New Version Notification for draft-richer-oauth-introspection-00.txt

Preparing generically for context to be provided by the RS/host, as well as metadata provided back by the AS/AM, seems like a good idea, and hopefully doesn't have to be over-complex. Extension points can be quite simple if designed right. But I agree that the basic use case of "give me back the

[OAUTH-WG] My earlier comments on the dyn client reg draft

Hannes suggested that, for transparency, I should share with the list the comments that I had earlier sent to Justin. Here they are. I believe these have all been addressed in one way or another by now. Eve General - Authorship: I suspect that Christian Scholz really won't mind i

[OAUTH-WG] OAUTH Conference Call Dec 14th, 2012 (was Re: OAuth WG Virtual Interim Meetings, 11 January 2013 & 21 January 2013)

FYI, We will also be holding a conference call on Friday, December 14th at 1pm EST. This call is not an official virtual interim meeting which means no decisions can be made, but it is a time where we plan to discuss progress and discuss any open issues. We will send out dial-in information ASAP

Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the client or a third party token service?

The intent was definitely not to constrain who/what could be the issuer. But also try to provide some guidance around the common cases that are actually being deployed now, which are the client self-issued and STS variants. Resource owner as an issuer is an interesting case but seems mostly theoret