Why RO as an issuer is only theoretical today?
Brian Campbell
2012-12-04 23:41
收件人
Nat Sakimura
抄送
zhou.suj...@zte.com.cn, "oauth@ietf.org"
主题
Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the
client or a third party token service?
The intent was definitely n
We are working with one of our users on the support for pre-authorized
tokens which can be checked by AS at the initial end user redirection to
this AS before requesting the end-user authorization.
My assumption is that if the pre-authorized token exists then the client
provided scope, if any,
You're right that UMA bundles several things in the protection API (covered by
the protection scope, whose keyword is actually the resolvable URI
"http://docs.kantarainitiative.org/uma/scopes/prot.json";). One of those things
is the use of the token status endpoint; the rest is the whole mechani
Hi Justin-- Glad to see this moving forward. This draft seems pretty
straightforward, and I imagine the UMA core spec could probably incorporate a
reference out to this rather than continuing to use our custom-specified method
for what we'd called "token status". I wanted to highlight a couple o
Preparing generically for context to be provided by the RS/host, as well as
metadata provided back by the AS/AM, seems like a good idea, and hopefully
doesn't have to be over-complex. Extension points can be quite simple if
designed right. But I agree that the basic use case of "give me back the
Hannes suggested that, for transparency, I should share with the list the
comments that I had earlier sent to Justin. Here they are. I believe these have
all been addressed in one way or another by now.
Eve
General
- Authorship: I suspect that Christian Scholz really won't mind i
FYI,
We will also be holding a conference call on Friday, December 14th at
1pm EST. This call is not an official virtual interim meeting which
means no decisions can be made, but it is a time where we plan to
discuss progress and discuss any open issues.
We will send out dial-in information ASAP
The intent was definitely not to constrain who/what could be the issuer.
But also try to provide
some guidance around the common cases that are actually being deployed now,
which are the client self-issued and STS variants. Resource owner as an
issuer is an interesting case but seems mostly theoret
