Re: [OAUTH-WG] proposal for signatures

2010-06-21 Thread Justin Smith
I'm not emphatic about either, but my vote is to remove the envelope. -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Eaton Sent: Monday, June 21, 2010 9:49 AM To: Dick Hardt Cc: OAuth WG Subject: Re: [OAUTH-WG] proposal for signatures

Re: [OAUTH-WG] proposal for factoring out request signing in OAuth 2

2010-05-22 Thread Justin Smith
I like the idea of simplifying the core spec, but the devil is in the details. In practice it seems onerous to ask the AS and the PR to know both the key used to sign the token as well as the key used to sign the request (regardless of if the request signing key is the same as the

Re: [OAUTH-WG] Issue: Scope parameter

2010-04-16 Thread Justin Smith
value in the 401 (should the URI reference the individual service or the bundle). From: Manger, James H [mailto:james.h.man...@team.telstra.com] Sent: Thursday, April 15, 2010 9:44 PM To: Justin Smith; OAuth WG Subject: RE: [OAUTH-WG] Issue: Scope parameter So, let’s say there is an Authorization

Re: [OAUTH-WG] Issue: Scope parameter

2010-04-15 Thread Justin Smith
: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Justin Smith Sent: Friday, 16 April 2010 9:39 AM To: Eran Hammer-Lahav; Marius Scurtescu; record...@gmail.com Cc: OAuth WG Subject: Re: [OAUTH-WG] Issue: Scope parameter I don’t see how the presence of a scope parameter hurts

Re: [OAUTH-WG] Issue: Scope parameter

2010-04-15 Thread Justin Smith
token request to http://as.com. Is that right? If so, then how does http://as.com know that the intended resource is http://foo.com? From: Manger, James H [mailto:james.h.man...@team.telstra.com] Sent: Thursday, April 15, 2010 9:09 PM To: Justin Smith; OAuth WG Subject: RE: [OAUTH-WG] Issue

Re: [OAUTH-WG] Defining a maximum token length?

2010-03-10 Thread Justin Smith
Along those lines, here's an access token (SWT w/o URL encoding) that has some role and attribute data. I think it is representative of how customers are using the OAuth WRAP implementation in AppFabric.

Re: [OAUTH-WG] [WRAP] Username and Password Profile

2010-03-09 Thread Justin Smith
Part of the motivation behind that profile was to allow an autonomous client (no end-user identity passed to the AS) the ability to access a web service. In that case, I don't see what the client secret (along with the username and password) would be adding. Ethan - assuming the token is

Re: [OAUTH-WG] [WRAP] Username and Password Profile

2010-03-09 Thread Justin Smith
Yep - mistake on my part. I the discussion was around section 5.1 and 5.2 on OAuth WRAP v0.9.7.2. -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of David Recordon Sent: Tuesday, March 09, 2010 9:46 AM To: oauth-wrap...@googlegroups.com;