On Thu, Aug 12, 2010 at 11:19 AM, Chuck Mortimore
<cmortim...@salesforce.com> wrote:
> I think it would be reasonable to loosen the language to reflect that the
> subject is who access will be granted to. It may or may not be the
> resource owner, I agree.
Any thoughts on what that would look like in the spec? Something
like "The assertion MUST contain a <Subject> element. The <Subject>
MAY identify the resource owner for whom the access token is being
requested."? Or just drop the language about resource owner all
together? Or something else?
What about the two bullets on AuthnStatement?
o If the assertion issuer authenticated the subject, the assertion
SHOULD contain a single <AuthnStatement> representing that
authentication event.
o If the assertion was issued with the intention that the client act
autonomously on behalf of the subject, an <AuthnStatement> SHOULD
NOT be included.
They kind of, but not completely, imply/assume some explicit
relationship between the subject and resource owner.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
