Hi Eve

Looking at the WRAP oriented comments in the spec, here are some comments / 
questions:

Note
WRAP doesn't seem to say HTTPS is required for the user authorization URL; is 
this a bug in the WRAP spec? If not, is it a good idea for us to profile it in 
this way? Finally, is this the right place to say HTTPS is required for all 
these URLs?

Dick: an HTTPS requirement is prohibitive at times. See 
http://groups.google.com/group/oauth-wrap-wg/browse_thread/thread/821e73bcbd8033dd?hl=en#
 for a recent discussion on this.

Note
Need lots of examples for all of this. Also, note that WRAP forces clients to 
use POST on access token URLs and refresh token URLs; can we use GET in the way 
described here?

Dick: why do you want GET? There are security issues with using GET to the AS.

Note
Obviously this is just the highest-level sketch of what needs to happen! This 
needs to be fleshed out. (E.g., the wrap_scope format could be reused here, 
without any wildcards.)
Also, are we concerned that a malicious host could lie about the attempted 
resource and method? The only consequence seems to be "false negatives" in 
managing authorized access, in which case the user would get unhappy pretty 
quickly.

Dick: it was envisioned that the scope of a function of scope would be embedded 
in the Access Token. Or perhaps I don't understand the issue.


On 2010-03-04, at 11:01 AM, Eve Maler wrote:

> Folks may be interested to see the following experiment being performed in 
> the UMA group:
> 
> http://kantarainitiative.org/confluence/display/~xmlg...@idp.protectnetwork.org/Proposal+for+UMA+1.0+Core+Protocol
> 
> This is a proposal for a spec that uses a WRAP-friendly approach to solving 
> our use cases.  Please note the final comments in today's UMA telecon minutes 
> for cautions about additional requirements we have:
> 
> http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2010-03-04
> 
>       Eve
> 
> Eve Maler
> e...@xmlgrrl.com
> http://www.xmlgrrl.com/blog
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to