+ [sp...@openid] Nat this is exactly what I had in mind. In many ways Oauth and Oauth-WRAP are similar to artifact binding the user approves a token, which is then passed back to the RP via a browser redirect. The token is then used by the RP to make web service calls on the OP to access a Protected Resource.
The token is kind of like an artifact, and the Protected Resource can be an OpenID assertion. Would we be able to combine the OpenID Artifact Binding Extension with OAuth WRAP? If so, that would be great. Allen On 2/8/10 7:29 PM, "Nat Sakimura" <[email protected]> wrote: > Hi > > I was wondering if we could define an Artifact Binding/Mobile Profile for > Wrap. > > The way I would do is pretty simple because Wrap Web App Profile is an > Artifact Binding to some extent. > Just send Verification Code Request directly from WebAppClient to AuthzServer > and get an Artifact back and bring that to AuthzServer through UA. > After PoP, another artifact is created at AuthzServer and > it is brough back to the WebAppClient through UA redirect. > Then, the verification Code Response can be obtained from AuthzServer > directly using the artifact. > The rest is the same. > > I created an blog entry with pretty diagram at > http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile> / > > It may be easier to see the page instead of the above description. > > (Instead of using response artifact, Verification Code Response can be sent > directly, > but then we would be introducing AuthzServer -> WebAppClient communication, > which would have > some implication on firewall configuration.) > > For those of you who say that "Artifact is Complex", see the original Web App > Profile here: > > http://www.sakimura.org/en/modules/wordpress/oauth-wrap-web-app-profile-summar > y/ > > It is almost identical. > > Added value is that is is more "mobile" friendly, and is actually more secure > if the > Request Artifact and Response Artifact (wrap_verification_code) is > generated cryptographically > strongly. > > What would you think?
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
