-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, Feb 2, 2009 at 9:20 AM, Hans Granqvist <[email protected]> wrote: > > It's a trade-off I am sure, but I would have loved it if the > standard had > decoupled the token issuer from the token verifier. In that way, > you would > not need the dance of triage; the consumer simply present a correct > token > to access a resource. "Correctness" can be ascertained solely from the > presented token + presenter's identity. In that way the token can > be issued > by anyone at anytime. > > SAML and Kerberos anyone? ;) I've thought the same thing. OpenID-OAuth Hybrid is exactly about that separation, replacing the old issuing dance with a new one. Verification needs to stay the same. At that point, the only difference between OAuth and SAML or Kerberos is that there is no standard way to present credentials to Authorization endpoint. I assume this will be handled by an extension in the near future, allowing one consumer to present its credentials to authorize another consumer's token. I think someone might be calling it transferable tokens in some extension? I've also hoped the token would begin to take a more capability-like role. All that would be needed would be to explicitly mention the resources the token grants access to, and the rights it provides. http://josephholsten.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkmHgR8ACgkQrPgSa0qMrmE1agCfeec4lFTZaUAHeYHs6kjGzhzc 9ZkAn0QxWVvzbu44YZDddTgBYs1xKIzj =nV99 -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
