I have had interest from a number of people in standardizing a AS -> RS introspection method.
Ping is happy to contribute our draft as a starting point for work. The OAuth WG doesn't have this as a work item at the moment. We could do it as a ID with a number of contributors or find another place to work on it, and then contribute it similar to OAuth itself. What are people's thoughts. It is something that I am seeing customers ask for. John B. On 2012-09-17, at 11:13 AM, Justin Richer <[email protected]> wrote: > On 09/17/2012 08:11 AM, Hannes Tschofenig wrote: >>> Since it is prefered to have long lived key shared between AS and RS in >>> this WG, >>> Is there any consideration for this key distribution and its security >>> requirements? >> So far we have had only discussions regarding the standardization of the >> AS<->RS server interaction in the context of the UMA work. >> >> You may want to have a look at >> http://tools.ietf.org/html/draft-hardjono-oauth-umacore >> > Not quite true. There's also the token introspection, like Ping has > published[1] or what AOL or MITRE have both implemented. You also have to > account for those using structured tokens (like JWTs) with signatures to > communicate using the token itself, analogous to SAML assertions. > > When we brought it up during the re-chartering discussion, there seemed to be > a number of folks willing to work on publishing something in this area. > > -- Justin > > [1] http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
