In principal it would work. The only downside is that the artifact/token might be smaller if it were a simple SHA256 XORd with the association secret or something like that.
I like the concept in principal if it doesn't compromise the ability to have a small response via GET. I had questions around the token format returned by the protected resource.(artifact resolution) John B. On 2010-02-10, at 7:27 PM, Allen Tom wrote: > + [sp...@openid] > > Nat – this is exactly what I had in mind. In many ways Oauth and Oauth-WRAP > are similar to artifact binding – the user approves a token, which is then > passed back to the RP via a browser redirect. The token is then used by the > RP to make web service calls on the OP to access a Protected Resource. > > The token is kind of like an artifact, and the Protected Resource can be an > OpenID assertion. > > Would we be able to combine the OpenID Artifact Binding Extension with OAuth > WRAP? If so, that would be great. > > Allen > > > On 2/8/10 7:29 PM, "Nat Sakimura" <[email protected]> wrote: > >> Hi >> >> I was wondering if we could define an Artifact Binding/Mobile Profile for >> Wrap. >> >> The way I would do is pretty simple because Wrap Web App Profile is an >> Artifact Binding to some extent. >> Just send Verification Code Request directly from WebAppClient to >> AuthzServer >> and get an Artifact back and bring that to AuthzServer through UA. >> After PoP, another artifact is created at AuthzServer and >> it is brough back to the WebAppClient through UA redirect. >> Then, the verification Code Response can be obtained from AuthzServer >> directly using the artifact. >> The rest is the same. >> >> I created an blog entry with pretty diagram at >> http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/ >> >> It may be easier to see the page instead of the above description. >> >> (Instead of using response artifact, Verification Code Response can be sent >> directly, >> but then we would be introducing AuthzServer -> WebAppClient communication, >> which would have >> some implication on firewall configuration.) >> >> For those of you who say that "Artifact is Complex", see the original Web >> App Profile here: >> >> http://www.sakimura.org/en/modules/wordpress/oauth-wrap-web-app-profile-summary/ >> >> It is almost identical. >> >> Added value is that is is more "mobile" friendly, and is actually more >> secure if the >> Request Artifact and Response Artifact (wrap_verification_code) is generated >> cryptographically >> strongly. >> >> What would you think? > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
