I'd note that the reaction at the conference to Ian's statement was
overwhelmingly positive. There was a wide range of industry people here -
implementers, practitioners, deployers, strategists, etc. - and it seems
pretty clear that the rough consensus of the industry at large is that
a4c is not
There is a lot of spin being applied, yes. But not from Ian.
On Thu, Jul 24, 2014 at 7:00 AM, Anthony Nadalin tony...@microsoft.com
wrote:
I’m sure it was spun in a way that could be true since there was no
technical value to Ian’s statement and I’m sure that folks had not read or
I am not against discussion in the WG.
I happen to agree with Phil's fundamental premise that some developers are
using OAuth in a insecure way to do authentication.
That raises the question of how to best educate them, and or address technical
barriers.
It is on the second point that
The audience of a access token is a RS, and we have a principal of the token
being opaque to the client.
On the other hand that is in line with what In was thinking. It is a access
token with no scopes that confers no access to a resource.
We can define a sting for that or perhaps a JWT with
Phil,
I thoroughly enjoy working with you whenever I can, and I really liked
your work on SCIM, but from the perspective of the web developers I work
with, I have a few concerns about what you wrote:
1. Developer experience and usability of the standards
You keep mentioning that web
I'm sorry to miss what will likely be a very engaging meeting today.
The premise that some developers are using OAuth in a insecure way to do
authentication is something we can probably all agree on.
It doesn't necessarily follow from that premise, however, that the solution
is yet another spec
OMG, how can you say that when the Dynamkc Reg does the same thing (duplicates)
but that is OK to do
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell
Sent: Thursday, July 24, 2014 10:22 AM
To: John Bradley
Cc: oauth@ietf.org list
Subject: Re: [OAUTH-WG] New Version
Connect needed to be completed. To do that some things that were not Identity
specific but required for Connect to be interoperable also needed to be
completed in a stable form.
The fact that with some tweaking based on input from the IETF community like
software statements Connect's dynamic
This could also be solved by explicitly defining a scope for access tokens
specific to the needed (no-op?) behavior for ac4.
On Thursday, July 24, 2014 8:34 AM, tors...@lodderstedt.net
tors...@lodderstedt.net wrote:
I honestely don't understand why you care about omiting the access token
2014-07-24 14:17 GMT-04:00 Bill Mills wmills_92...@yahoo.com:
Then why aren't people using this instead of (mis)using OAuth for this?
Even with a spec this short, IMHO, developers would not read it.
What they want is easy to read description with sample code, I suppose.
It also does not have
The situations are rather different.
On Thu, Jul 24, 2014 at 11:25 AM, Anthony Nadalin tony...@microsoft.com
wrote:
OMG, how can you say that when the Dynamkc Reg does the same thing
(duplicates) but that is OK to do
*From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Brian
Oh yea, real different, give me a freaking break
From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Thursday, July 24, 2014 6:31 PM
To: Anthony Nadalin
Cc: John Bradley; oauth@ietf.org list
Subject: Re: [OAUTH-WG] New Version Notification for
draft-hunt-oauth-v2-user-a4c-05.txt
The
12 matches
Mail list logo