could be Resource owner?
"Tschofenig, Hannes (NSN - FI/Espoo)" <[email protected]> 发件人: [email protected] 2012-12-03 16:49 收件人 "ext Nat Sakimura" <[email protected]>, "Brian Campbell" <[email protected]>, "oauth" <[email protected]> 抄送 主题 Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the client or a third party token service? Hi Nat, The current text essentially says that the assertion can either be created by the client (in which case it is self-signed) or it can be created by some other entity (which is then called the third party token service). So, this third party could be the authorization server. Ciao Hannes From: [email protected] [mailto:[email protected]] On Behalf Of ext Nat Sakimura Sent: Monday, December 03, 2012 10:35 AM To: Brian Campbell; oauth Subject: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the client or a third party token service? Hi Brian, The assertion framework defines the Issuer as: Issuer The unique identifier for the entity that issued the assertion. Generally this is the entity that holds the key material used to generate the assertion. The issuer may be either an OAuth client (when assertions are self-issued) or a third party token service. I was wondering why it has to be either the client or a third party token service. Conceptually, it could be any token service (functionality) residing in any of the stakeholders (Resource Owner, OAuth Client, Authorization Server, or a third party). I would appreciate if you could clarify why is the case. Best, -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
