The question of allowing for multiple assertions in the SAML profile came up recently. See http://www.ietf.org/mail-archive/web/oauth/current/msg04068.html and several subsequent messages in the thread.
I pushed back on the idea at first due to added complexity. There are a number of things that need to be addressed that aren't present in the single assertion case. One of the sticker ones, to me, was how to encode the assertions into the request. A SAML <Response> element is a nice container for multiple assertions but using it in this context seemed awkward at best. A new schema could be defined or a special deliminator character could be used but that seems excessive and kludgy respectively. What about pushing it up into the HTTP layer and allowing for multiple occurrences of the assertion=XXX parameter in the POST body? I don't see anything in core OAuth that would necessarily preclude doing this. It seems cleaner and more lightweight than some of the other options. And perhaps it could be a more general (not just SAML) method of sending multiple assertions in a single assertion grant type request? It'd look something like this: POST /token.oauth2 HTTP/1.1 Host: authz.example.net Content-Type: application/x-www-form-urlencoded grant_type=assertion&assertion_type=http%3A%2F%2Foauth.net%2Fasse rtion_type%2Fsaml%2F2.0%2Fbearer&assertion=[...1st assertion...]&assertion= [...2nd assertion...]&assertion=[...3nd assertion...] _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
