One issue with Mike's proposal is that all RSs receiving the token would
know all the scopes the token is valid for.
Imagine an app requesting access to scopes allowing it to see your bank
balance and retrieve your wish lists from another RS. It'll get it in the
form of a Bearer token with those
+1.
I've understood from what Justin said the idea is to introduce a
standard way for RS to communicate to AS about the tokens issued by the
AS. I think it is a good idea, I'd only not focus on the RS-to-3rd party
AS communications because it complicates it a bit.
Clearly it would be of
On 30/07/14 04:45, Eve Maler wrote:
I would say that if an RS and AS are relatively tightly coupled and have
established their trust off stage, then the RS will know where to go
and how to interpret the results.
+1. It is an obvious answer, there has to be a trust established between
RS and AS.
Yes, I support WG taking this on.
On Mon, Jul 28, 2014 at 11:57 AM, Paul Madsen paul.mad...@gmail.com wrote:
I support the WG taking this on
On 7/28/14, 1:33 PM, Hannes Tschofenig wrote:
Hi all,
during the IETF #90 OAuth WG meeting, there was strong consensus in
adopting the OAuth
This request for only those not at the F2F to add to the hum has gone a bit off
the rails.
For those not in the room there was discussion that the draft needed a method
to deal with:
- Multiple AS
- Supporting the PoP specs
- stopping clients or other interceptors of the token from
On 30/07/14 14:42, John Bradley wrote:
This request for only those not at the F2F to add to the hum has gone a bit off
the rails.
Meaning you see too much feedback, is it bad, even if some of it may be
off topic ?
For those not in the room there was discussion that the draft needed a method
No, that those of us who we're fallowing the instructions not to comment if
our hum was recorded in the room, should not hold back given the nature of the
thread has changed.
It was also an indication to the char that the original intent of the thread to
judge consensus is impacted by some
Hi John
On 30/07/14 14:59, John Bradley wrote:
No, that those of us who we're fallowing the instructions not to comment if
our hum was recorded in the room, should not hold back given the nature of the
thread has changed.
It was also an indication to the char that the original intent of the
Take a look at RFC 6750 The OAuth 2.0 Authorization Framework: Bearer
Token Usage - particularly section 3:
http://tools.ietf.org/html/rfc6750#section-3 which describes using the
WWW-Authenticate response header field in response to a request with
an invalid/insufficient/missing/etc token.
On
Actually, I view this in a much simpler way. In today's environment
there is a tight coupling between AS and RS. Each deployment has to
develop it's own mechanism for dealing with understanding tokens (even
if the AS and RS are in the same domain).
The introspection spec solve probably 80+
Actually there is both:) There is a JWS that contains an opaque token
from the partner AS. We introspect the opaque token with the partner
at every JWS validation to ensure the authorization is still valid. This
is a risk decisions agreed to by both parties. Obviously there are other
ways to
+100 :)
On 7/29/14, 8:52 PM, Justin Richer wrote:
Reading through this thread, it appears very clear to me that the use
cases are very well established by a number of existing implementers
who want to work together to build a common standard. I see no reason
to delay the work artificially by
Thank you very much. It is the specification for token_type=bearer
but really useful. I'm ashamed of having forgotten the content of
RFC 6750 although I had read it once before.
Best Regards,
Takahiko Kawasaki
2014-07-30 21:23 GMT+09:00 Brian Campbell bcampb...@pingidentity.com:
Take a look at
Yes, I support add this as a WG work item.
On 7/28/14, 1:33 PM, Hannes Tschofenig wrote:
Hi all,
during the IETF #90 OAuth WG meeting, there was strong consensus in
adopting the OAuth Symmetric Proof of Posession for Code Extension
(draft-sakimura-oauth-tcse-03.txt) specification as an OAuth
No worries.
Some of the people in the F2F piling on with discussion derailed Hannes
original question.
during the IETF #90 OAuth WG meeting, there was strong
consensus in
adopting the OAuth Token Introspection
(draft-richer-oauth-introspection-06.txt) specification as
John this is for the people that did not hum at the face to face and not just
for the people not at the face to face.
Sent from my Windows Phone
From: John Bradleymailto:ve7...@ve7jtb.com
Sent: 7/30/2014 7:20 AM
To: Sergey
Interesting point. I defer to your greater hum experience:)
On Jul 30, 2014, at 10:32 AM, Anthony Nadalin tony...@microsoft.com wrote:
John this is for the people that did not hum at the face to face and not
just for the people not at the face to face.
Sent from my Windows Phone
From:
+1
Phil
@independentid
www.independentid.com
phil.h...@oracle.com
On Jul 30, 2014, at 7:15 AM, George Fletcher gffle...@aol.com wrote:
Yes, I support add this as a WG work item.
On 7/28/14, 1:33 PM, Hannes Tschofenig wrote:
Hi all,
during the IETF #90 OAuth WG meeting, there was
Will the minutes of the meeting be made available? Those might provide
a little more context to those of us who were unable to attend.
On Wed, Jul 30, 2014 at 10:14 AM, John Bradley ve7...@ve7jtb.com wrote:
Interesting point. I defer to your greater hum experience:)
On Jul 30, 2014, at 10:32
19 matches
Mail list logo