On 2010-02-03, at 10:54 AM, Eve Maler wrote: > > - There is a conceptual similarity between the UMA and WRAP entities, but our > analysis so far shows it to be shallow in spots. For example, WRAP's > "protected resource" maps fairly well to an UMA "host" (which may host any > number of protected resources), and WRAP's and OAuth's "client"/"consumer" > maps to an UMA "requester". However, it seems that a WRAP authorization > server is assumed to be in the same domain as a protected resource, allowing > for implicit rather than explicit scoping of resources. The UMA > authorization manager and any one host may be in entirely separate domains, > and introductions between them are intended to be user-driven.
In OAuth WRAP, Authorization Server (AS) is NOT assumed to be in the same domain as the Protected Resource (PR). The Client does need to know which AS it can call for an Access Token for a given PR. Discovery of the PR and AS was out of scope for OAuth WRAP (and I think for this WG). We figured general purpose APIs would have their own discovery and the AS and PR would be discovered in that process. -- Dick _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
