Hi
On 21/05/14 03:29, Prateek Mishra wrote:
The difference between the two scenarios is that the authorization code
has a one-use property and also requires the user to be present.
These conditions are not available in the (assertion grant --> access
token) with a public client. So there are som
The difference between the two scenarios is that the authorization code
has a one-use property and also requires the user to be present.
These conditions are not available in the (assertion grant --> access
token) with a public client. So there are some fundamental differences
in security prop
Hi Prateek
On 20/05/14 16:00, Prateek Mishra wrote:
Sergey - you haven't missed anything. The client remains unregistered
throughout the exchange.
There is no relationship between the assertion grant (or access token)
and the client either.
You are pointing out that an AS endpoint supporting un
Sergey - you haven't missed anything. The client remains unregistered
throughout the exchange.
There is no relationship between the assertion grant (or access token)
and the client either.
You are pointing out that an AS endpoint supporting unregistered clients
(public in OAuth terminology) f
On 5/20/2014 10:04 AM, Sergey Beryozkin wrote:
Hi,
Thanks for the clarification,
On 20/05/14 14:03, Brian Campbell wrote:
Yes Sergey, it's to allow for support of unregistered clients. Typically
such clients will have some relationship established with a security
token service (STS) where the
Hi,
Thanks for the clarification,
On 20/05/14 14:03, Brian Campbell wrote:
Yes Sergey, it's to allow for support of unregistered clients. Typically
such clients will have some relationship established with a security
token service (STS) where they can obtain assertion grants and the AS
trusts th
Yes Sergey, it's to allow for support of unregistered clients. Typically
such clients will have some relationship established with a security token
service (STS) where they can obtain assertion grants and the AS trusts the
STS to issue such assertions. In that kind of scenario, the identity of the
Hi
I'm reviewing the way client authentication is expected to be done when
either SAML or JWT bearer assertion is used as a grant [1] which
corresponds to the case described in [2].
[1] says: "Authentication of the client is optional...".
Can someone please clarify how it can be optional giv
