David & Marius,
> Using SWT for your access tokens seems like a reasonable way to resolve this > for servers which care. SWT is completely the wrong solution for this issue, if I understand it correctly. I haven’t followed the SWT work much, but my understanding is that it aids interop between authorization and resource servers by defining a token format. A crucial feature is a MAC, created by the authz server and verified by the resource server. A client app cannot have the secret key required to verify the signature (MAC) in a SWT token. SWT is separate from WRAP (& OAuth) because it is a private matter between servers -- which the client does not have to know anything about. The commonality between this issue (“sites” token response param) and SWT is that client apps and resource servers need to know some similar information about a token: such as where & when it can be used. Theoretically I guess we could mandate something like SWT (fleshed out with specifics) for tokens so clients and resource servers can get the info they need from the same field *in* the token. However, tokens that are opaque to clients (with the info they need in separate fields) is a much better architecture (less coupling), even if some info gets repeated. P.S. I found SWT-v0.9.5 at http://groups.google.com/group/oauth-wrap-wg/files. -- James Manger From: [email protected] [mailto:[email protected]] On Behalf Of David Recordon Sent: Saturday, 8 May 2010 4:06 AM To: Marius Scurtescu Cc: OAuth WG Subject: Re: [OAUTH-WG] Indicating sites where a token is valid Using SWT for your access tokens seems like a reasonable way to resolve this for servers which care. On Fri, May 7, 2010 at 11:01 AM, Marius Scurtescu <[email protected]<mailto:[email protected]>> wrote: Returning a scope parameter with issued tokens is not a bad idea. But this, and also the sites parameter suggested by James, can both potentially be solved with a transparent token format. Such a token can make explicit the: - expiry time - scopes - sites - etc. The Simple Web Token spec goes along these lines. SWT has a parameter called Audience, which I assumed would point to the client, but it could also represent "sites". Marius
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
