If you look at my manuscript of the Artifact Binding ( http://www.sakimura.org/specs/ab/1.0 ) , it is clear that the Artifact is created and consumed by OP/AuthzServer and is opaque to RP/WebAppClient. It has no restriction other than that it should be below 400 bytes. (NB: It is much bigger than SAML's 30bytes limit).
Or, if you are talking about the Access Token in fig. 1 of http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/, then, it is also completely opaque. It does not even have the size limit. Only the condition is that AuthzServer and Resource has the common understanding of what it is. =nat On Thu, Feb 11, 2010 at 7:56 AM, John Bradley <[email protected]>wrote: > In principal it would work. The only downside is that the artifact/token > might be smaller if it were a simple SHA256 XORd with the association secret > or something like that. > > I like the concept in principal if it doesn't compromise the ability to > have a small response via GET. > > I had questions around the token format returned by the protected > resource.(artifact resolution) > > John B. > > On 2010-02-10, at 7:27 PM, Allen Tom wrote: > > + [sp...@openid] > > Nat – this is exactly what I had in mind. In many ways Oauth and Oauth-WRAP > are similar to artifact binding – the user approves a token, which is then > passed back to the RP via a browser redirect. The token is then used by the > RP to make web service calls on the OP to access a Protected Resource. > > The token is kind of like an artifact, and the Protected Resource can be an > OpenID assertion. > > Would we be able to combine the OpenID Artifact Binding Extension with > OAuth WRAP? If so, that would be great. > > Allen > > > On 2/8/10 7:29 PM, "Nat Sakimura" <[email protected]> wrote: > > Hi > > I was wondering if we could define an Artifact Binding/Mobile Profile for > Wrap. > > The way I would do is pretty simple because Wrap Web App Profile is an > Artifact Binding to some extent. > Just send Verification Code Request directly from WebAppClient to > AuthzServer > and get an Artifact back and bring that to AuthzServer through UA. > After PoP, another artifact is created at AuthzServer and > it is brough back to the WebAppClient through UA redirect. > Then, the verification Code Response can be obtained from AuthzServer > directly using the artifact. > The rest is the same. > > I created an blog entry with pretty diagram at > > http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/ > > It may be easier to see the page instead of the above description. > > (Instead of using response artifact, Verification Code Response can be sent > directly, > but then we would be introducing AuthzServer -> WebAppClient > communication, which would have > some implication on firewall configuration.) > > For those of you who say that "Artifact is Complex", see the original Web > App Profile here: > > > http://www.sakimura.org/en/modules/wordpress/oauth-wrap-web-app-profile-summary/ > > It is almost identical. > > Added value is that is is more "mobile" friendly, and is actually more > secure if the > Request Artifact and Response Artifact (wrap_verification_code) is > generated cryptographically > strongly. > > What would you think? > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > > > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > > -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
