I have no doubt that the description makes sense, but I have not quite
grasped it. I think that what you mean is the case when I want to get
to a web site (relying party) with an OpenID. Here I should get from the
identity provider (after it authenticates me) not only an assertion to
pass back to the relying party but also a token.
But what I don't understand is what access rights will this token give
me. Is that that my identity provider is expected to know what access
rights I have on different sites? This is the part that I am lost in.
Maybe it would be easy to explain this idea by applying it to the
classical OAuth use case (i.e., getting a printing service to print my
photos on a photo album site)?
If there is something written on this case, maybe you could share it?
I am actually very interested in this subject and glad that you brought
it up.
Igor
Torsten Lodderstedt wrote:
Suppose a webite wants to (1) login users interactively and (2) access
web services on behalf of those users which are secured by tokens.
From my point of view, one could integrate token issuance into the
login process. So the application might perform login via Openid and
request access tokens as additional results of the login process from
the identity provider. Does this make sense?
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
