A few of us had a chance to meet face to face this morning at IIW 13 in Mountain View and talked a bit about the assertions document. I wanted to try and (very quickly) summarize that and also talk about the some next steps for these documents. This is partly a summary and partly a reminder of things to be done.
The "OAuth 2.0 Assertion Profile" http://tools.ietf.org/html/draft-ietf-oauth-assertions-00 Hannes and Barry expressed concern about some of the wording (and possibly the SAML one as well?) saying that it could potentially be misleading or confusing regarding the actual security properties implied or provided by the profile. Hannes was going to take a crack at proposing some new text. This draft is due for an update and there have been some comments on it over the last few months. I found http://www.ietf.org/mail-archive/web/oauth/current/msg07186.html which are some general comments from Yaron and http://www.ietf.org/mail-archive/web/oauth/current/msg07173.html which is from me about the need to do parameter registration in this doc. I thought there were some additional comments but I can't seem to find them. Personally, given the treatment of client_id in draft-ietf-oauth-v2-22, I think that this draft needs to rework its handling of client_id. It should probably just be omitted completely from section 4.2. "Using Assertions as Authorization Grants" and made optional or even forbidden in section 4.1. "Using Assertions for Client Authentication" "An IETF URN Sub-Namespace for OAuth" http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-00 I think this short document is ready to go on to whatever is next. "SAML 2.0 Bearer Assertion Profiles for OAuth 2.0" http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-08 I believe this document is also ready to go. Although it depends on the previous two documents so they should probably progress together as a group. The only comment I'm aware of on it came from a cross posting at the OASIS SSTC and while I acknowledge what was said, I don't believe it can be addressed. I can provide more detail, if anyone is interested. Hannes said he thought there might be some editorial issues with it or perhaps it contained incorrect URI(s). He wasn't sure if he was working against the latest draft, however, so is planning on double checking and providing comments if appropriate. "JSON Web Token (JWT) Bearer Profile for OAuth 2.0" http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-00 Mike is going to update this draft to be an instance of draft-ietf-oauth-assertions-00 similar to what draft-ietf-oauth-saml2-bearer-08 does. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
