Actually - strike that. Authorization server is covered by the language as
well.
In short, Issuer is simply the entity that minted the assertion. The intent
is to allow the token service to lookup metadata about the issuer used to
establish trust ( their Public Key for instance )
On Dec 3, 2012, at 6:12 PM, Chuck Mortimore wrote:
It's simply the entity that created the assertion. Third party token service
was meant to encapsulate pretty much all of your stakeholders below. The only
one it doesn't really cover is Authorization Server.
On Dec 3, 2012, at 12:35 AM, Nat Sakimura wrote:
Hi Brian,
The assertion framework defines the Issuer as:
Issuer The unique identifier for the entity that issued the
assertion. Generally this is the entity that holds the key
material used to generate the assertion. The issuer may be either
an OAuth client (when assertions are self-issued) or a third party
token service.
I was wondering why it has to be either the client or a third party token
service.
Conceptually, it could be any token service (functionality) residing in any of
the stakeholders (Resource Owner, OAuth Client, Authorization Server, or
a third party).
I would appreciate if you could clarify why is the case.
Best,
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
