Dear ouath WG, I watched the Bangkok presentation and I think that the problem presented as motivation really has better solutions, or maybe I didn't quite understand it.
As I understand it the issue is that we have a client that needs an oauth token where the fields are dynamically produced as a result of one coming in, and the client doesn't know how to get one. I think it would be safer to have the auxiliary process produce a grant to an existing token that the client does have where proof of possession of the key already exists via chaining, akin to how we can use intermediates in X509. This avoids the issues with unknown key share that are an unfixable issue with the current proposal. Sincerely, Watson -- Astra mortemque praestare gradatim _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
