>>>>> "Alan" == Alan DeKok <[email protected]> writes:
Alan> My take is that proxies which do re-writes SHOULD
Alan> pro-actively request the authorization data. This would mean
Alan> watching the Access-Accept for a "more authorization" flag,
Alan> and the immediately requesting the authorization data. That
Alan> data would be cached locally.
Alan> When the client requests the authorization data, any
Alan> response would be delayed until all of the data was available.
Alan> Then, the re-write would occur, and the response sent.
Alan> This design simplifies the proxy implementation. Instead of
Alan> having to juggle multiple packets, it just sends back a cached
Alan> response. Since servers already send back canned responses,
Alan> we know that the design works.
That certainly sounds like an improvement.
Assuming someone were looking at that design for rewriting SAML
assertions, how scared would you be?
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
