Hi Eve Looking at the WRAP oriented comments in the spec, here are some comments / questions:
Note WRAP doesn't seem to say HTTPS is required for the user authorization URL; is this a bug in the WRAP spec? If not, is it a good idea for us to profile it in this way? Finally, is this the right place to say HTTPS is required for all these URLs? Dick: an HTTPS requirement is prohibitive at times. See http://groups.google.com/group/oauth-wrap-wg/browse_thread/thread/821e73bcbd8033dd?hl=en# for a recent discussion on this. Note Need lots of examples for all of this. Also, note that WRAP forces clients to use POST on access token URLs and refresh token URLs; can we use GET in the way described here? Dick: why do you want GET? There are security issues with using GET to the AS. Note Obviously this is just the highest-level sketch of what needs to happen! This needs to be fleshed out. (E.g., the wrap_scope format could be reused here, without any wildcards.) Also, are we concerned that a malicious host could lie about the attempted resource and method? The only consequence seems to be "false negatives" in managing authorized access, in which case the user would get unhappy pretty quickly. Dick: it was envisioned that the scope of a function of scope would be embedded in the Access Token. Or perhaps I don't understand the issue. On 2010-03-04, at 11:01 AM, Eve Maler wrote: > Folks may be interested to see the following experiment being performed in > the UMA group: > > http://kantarainitiative.org/confluence/display/~xmlg...@idp.protectnetwork.org/Proposal+for+UMA+1.0+Core+Protocol > > This is a proposal for a spec that uses a WRAP-friendly approach to solving > our use cases. Please note the final comments in today's UMA telecon minutes > for cautions about additional requirements we have: > > http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2010-03-04 > > Eve > > Eve Maler > e...@xmlgrrl.com > http://www.xmlgrrl.com/blog > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
