On Tue, Mar 23, 2010 at 11:58 AM, Dick Hardt <dick.ha...@gmail.com> wrote: > David: perhaps if you asked the list about features before dropping > them we would not all have to argue with you about why to put them > back in.
My goal by removing some of the non-obvious things was to encourage the discussion which has now started! Many of the design decisions that went into WRAP haven't entirely been shared in public. Since one of our major goals is developer simplicity it's reasonable to start with less and justify everything that's being added. As the working group has seen, I'm really willing to add things back in once the reasoning has been explained (error codes, SAML flow, etc). > Frankly I was surprised that you did not circulate the draft > to me as editor of WRAP. I focused on getting feedback from consumer web deployers of OAuth 1.0 (Twitter and Digg) who haven't participated in these discussions yet as they're extremely important to technology adoption. I also spoke to Google, Microsoft, and Yahoo! as they were the three companies who developed WRAP together. I'm sorry if I rubbed you the wrong way, but until this IETF meeting I didn't know that you were planning to deploy OAuth 2.0 as you were no longer working for Microsoft. This shouldn't prevent us from working together on making OAuth 2.0 rock. :) > WG Chairs: Is this draft now the draft that the WG is working on and > is David now the editor for the WG? > > -- Dick > > On 2010-03-23, at 10:47 AM, David Recordon <record...@gmail.com> wrote: > >> Hey Chuck, >> Thanks for rewriting the SAML flow into the style of my draft! I >> really appreciate it. >> >> I originally dropped the SAML flow because I hadn't seen support for >> it on the mailing list(s) the past two months. I think that our >> default should be making the spec as short and simple as possible so >> removed a few things from WRAP in order to start conversations like >> this one. It's now clear that Google, Microsoft, Salesforce, and IBM >> all need the SAML profile. Chuck, I'll merge your wording in. Want >> to be listed as an author? >> >> We're also going to need to figure out which flows should be in the >> core spec versus which should be developed at the same time but in >> individual documents. >> >> Thanks, >> --David >> >> On Tue, Mar 23, 2010 at 4:50 AM, Torsten Lodderstedt >> <tors...@lodderstedt.net> wrote: >>> +1 for assertion support >>> >>> what about enhancing the flow #2.4 to accept any kind of user >>> credentials >>> (username/password, SAML assertions, other authz servers tokens) >>> >>> regards, >>> Torsten. >>> >>> Am 23.03.2010 um 12:42 schrieb Mark Mcgloin >>> <mark.mcgl...@ie.ibm.com>: >>> >>>> +1 for assertion profile. Was there any reason why it was dropped? >>>> >>>> On 3/23/10, Chuck Mortimore wrote: >>>>> >>>>> Just getting a chance to review this – I apologize for not get >>>>> ting this >>>> >>>> before the meeting started. >>>> >>>>> We’d like to see some form of an Assertion Profile, similar to >>>>> section >>>>> 5.2 >>>> >>>> from draft-hardt-oauth-01. We have strong customer use-cases for >>>> an >>>> assertion based flow, specifically SAML bearer tokens, and I >>>> >believe >>>> Microsoft may have already shipped a minor variation on this >>>> ( wrap_SAML ) >>>> in Azure. >>>> >>>> >>>> Mark McGloin >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
