Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt

2013-07-30 Thread Nat Sakimura
Right. Anyone who agreed to IPR could have proposed the text in the work group. Re: Messages and Standard Messages were supposed to be the collection of terminology and parameters sets. Standard was meant to be HTTP binding, which would effectively make it OAuth 2.0 + authentication + identity. A

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt

2013-07-30 Thread Todd W Lainhart
Campbell , Cc: "oauth@ietf.org WG" Date: 07/30/2013 12:59 PM Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt Sent by:oauth-boun...@ietf.org I always think I pretty much understand OIDC until I see the specs list On 7/30/

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt

2013-07-30 Thread Richer, Justin P.
So it's not the protocol that's the problem, it's the documentation. For that I'm 100% with you all. However, I really don't think that the right response to that is "we'll just invent something new and incompatible with slightly different names" -- it's to document the protocol better. -- Jus

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt

2013-07-30 Thread Paul Madsen
I always think I pretty much understand OIDC until I see the specs list On 7/30/13 12:39 PM, Brian Campbell wrote: Yes, that. On Tue, Jul 30, 2013 at 4:46 PM, Richer, Justin P. > wrote: Yes, I agree that the giant stack of documents is intimidating and in my

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt

2013-07-30 Thread Brian Campbell
Yes, that. On Tue, Jul 30, 2013 at 4:46 PM, Richer, Justin P. wrote: > > Yes, I agree that the giant stack of documents is intimidating and in my > opinion it's a bit of a mess with Messages and Standard split up (but I > lost that argument years ago). > __

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt

2013-07-30 Thread Richer, Justin P.
That's what people thought with OpenID 2.0, and they were wrong then, too, if you ask me. Even then, userinfo endpoint isn't MTI anyway. -- Justin On Jul 30, 2013, at 11:25 AM, Phil Hunt mailto:phil.h...@oracle.com>> wrote: The whole point is authn only. Many do not want or need the userinfo

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt

2013-07-30 Thread Richer, Justin P.
What do you mean? You absolutely can implement a compliant OIDC server nearly as simply as this. The things that you're missing I think are necessary for basic interoperable functionality, and are things that other folks using OAuth for authentication have also implemented. Namely: - Signing t

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt

2013-07-30 Thread Phil Hunt
The oidc specs do not allow this simple an implementation. The spec members have not shown interest in making changes as they say they are too far down the road. I have tried to make my draft as close as possible to oidc but maybe it shouldn't be clarity wise. I am interested in what the group

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt

2013-07-30 Thread Richer, Justin P.
>From what I read, you've defined something that uses an OAuth 2 code flow to >get an extra token which is specified as a JWT. You named it "session_token" >instead of "id_token", and you've left off the User Information Endpoint -- >but other than that, this is exactly the Basic Client for Open