Hi Thomas— The UMA Work Group that produced the “RSR” (OAuth Resource Set
Registration) spec has an outstanding issue to fix the BCP190 issue that you
point out. Since it’s a backwards-incompatible change, and we are taking a
semantic versioning approach, we need to plot it out appropriately. We
Centralizing the user auth yes, it doesn't even have to be multiple types of RS
for this to win. It reduces your attack surface and allows your auth stack to
be separate from your app stack are two of the good things. Auth is a
specialized thing and hard to do right, and pulling it down to a m
On 13.10.2015 07:37, Ofer Nave wrote:
>> You do have decisions to make on whether you use symmetric crypto or PK
> there.
>
> That's another thing I was pondering -- simple shared secret, or require
> generated a private/public key pair.
>
> The asymetric form is a little more complicated in term
I think what you’re talking about is reasonable, but I also think that you
don’t need to invent anything. You’re right that these things aren’t defined in
OAuth core itself, but instead they’re defined in companion specs. Most notably
you have:
- JWT (RFC7519): a structured token based on JSO
This seems like a reasonable approach. Isn't the whole idea of the auth
server/resource server separation in OAuth 2.0 so that one auth server can
govern multiple resource servers?
--
Jim Manico
@Manicode
> On Oct 13, 2015, at 6:13 AM, Ofer Nave wrote:
>
> I know the OAuth 2.0 RFC doesn't spe
You're generally right on track. The RS needs to understand the token format
and needs to trust the AS. You bring in all the "hwo do 2 entities maintain a
trust relationship in computing thing" here, because the RS needs to trust the
AS. You can use a JWT (a common choice) as your token forma
I know the OAuth 2.0 RFC doesn't specify any standards for coordination
between the Authorization Server and the Resource Server, as it's generally
assumed that both will be owned or operated by the same entity.
However, I'm building an OAuth 2.0 Auth Server, and I'd like to add a
feature to make
