By choosing the right token format you could have a claims based implementation of OAuth. If you use a SWT, the name value pairs in them can represent simple claims. You could also use a SAML token for OAuth and either send the entire token (if its not too large) or use an Identifier to the SAML token which the protected resource can use to make a back end call to the Authorization server to get the actual token/ claims.
Junaid On Wed, Sep 1, 2010 at 10:34 PM, Jørn Wildt <[email protected]> wrote: > Yes, SWT or similar was what I was looking for. But all I could find > was, well, nothing, and people indicating that SWT is dead - or at > least not part of OAuth. > > Originally I was looking for a claims based security standard for a > REST API. That's why I ended up with OAuth - but having finally > figured out the inner workings of OAuth, I see that OAuth is not > claims based (at least not in the token). It's only federated, which > is certainly good! But I was hoping to find something for REST that > SAML does for SOAP: a standard for sending claims with each request. > > Thanks, Jørn > > On Sep 1, 10:19 pm, Dick Hardt <[email protected]> wrote: > > There were a couple of documents that described standard access tokens. > SWT (Simple Web Token was one of those) > > > > The WRAP and OAuth work specifically were token agnostic. > > > > -- Dick > > > > On 2010-08-31, at 11:54 PM, Jørn Wildt wrote: > > > > > Thanks! So OAuth is only concerned with the actual exchange of the > > > authorization token and access token - not what's in them. Further: > > > it's up to the OAuth vendor to decide how it should handle those > > > tokens internally. > > > > > For instance: When an end user grants access to something, then this > > > is registered internally in the application, and when a resource > > > webservice receives the access token, it looks it up in the internal > > > register to see what it is valid for? The specs say nothing about what > > > the webservice should do with that token. Right? > > > > > /Jørn > > > > > On Sep 1, 7:58 am, John Kristian <[email protected]> wrote: > > >> It's vendor specific. > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "OAuth" group. > > > To post to this group, send email to [email protected]. > > > To unsubscribe from this group, send email to > [email protected] <oauth%[email protected]>. > > > For more options, visit this group athttp:// > groups.google.com/group/oauth?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected] <oauth%[email protected]>. > For more options, visit this group at > http://groups.google.com/group/oauth?hl=en. > > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
