Phil, I also just read draft-hunt-oauth-v2-user-a4c-02. This proposal sounds awfully close to what UMA is doing for consent management.
The Resource Owner (RO) in UMA has the option to set access control policy (including expected the authentication LOA of the user/client). The RO also has the option to require the Client/User to provide Claims regarding both entities (UMA distinguishes between the Client and the Human person using the Client). UMA relies on OpenID-Connect OP to provide the Claims. btw. is your intention to create something akin to AuthnContext in SAML2.0? Best. /thomas/ ____________________________________________ From: OAuth [mailto:[email protected]] On Behalf Of Bill Mills Sent: Thursday, May 15, 2014 11:51 AM To: OAuth WG Subject: [OAUTH-WG] AC4 and what does it solve? I'm reading the AC4 draft and I want to understand the problems it's actually trying to solve, which isn't as clear as it could be in the prose. It looks like it's extending OAuth to: 1) Allowing the client to specify a desired authentication level. 2) Giving the client an opaque identifier to differentiate users. 3) Telling the client what level of authentication was used. Do I have this right? Thanks, -bill
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
