The ability to securely transfer tokens between systems is the last missing part to the redelegation problem. Right now, we can have an authorized client request a new access token with an equal or lesser scope and be granted that with no user interaction. That token can then be handed, using the below or similar mechanism, to another system for its own access. I'm assuming this would work with tokens containing a secret part (to be used for signing) as well as plain bearer tokens, too.
-- Justin On Mon, 2010-10-18 at 12:03 -0400, Niklas Neumann wrote: > Hello everybody, > > I am currently working on a projected related to authentication and > secure token transfer between multiple devices. As such we are employing > a simple protocol that handles token transfers independent of the actual > type of token. We have adapted the protocol to be used with OAuth tokens > and submitted it as an Internet Draft: > http://tools.ietf.org/html/draft-neumann-oauth-token-transfer > > I was wondering if there is interest in employing such a protocol in > cases where the HTTP redirection schemes of OAuth are not available or > not working well (e.g. desktop applications without access to a user > agent or authentication from a different device/application than the one > accessing the consumer). > > Compared to other proposals such as > draft-dehora-farrell-oauth-accesstoken-creds the STTP is more > heavyweight but in turn it also has more options. With regards to > authentication we didn't use SASL for complexity reasons in our work > initialy but I don't see any reason not to include it if this is deemed > more appropriate. > > The work that the draft is based on is still ongoing. Please understand > the draft as no more than a discussion proposal on how OAuth could be > opened to non-web-based environments and scenarios that involve multiple > devices without overloading the OAuth specification itself. I am happy > to further improve the draft if you think this might be a viable option. > > Best regards > Niklas > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
