> In terms of format, it suggests:
>
> format
> REQUIRED. The format of the assertion as defined by the authorization
> server. The format MUST be a URI which designates a profile of the
> assertion flow.
>
> I personally think this is all that is required. It would be nice if these
> were addressable URIs, but in practice that doesn't happen often, and it
> does leave behind some specs which are using urn's.
wrt the latter, URNs are a subset of URIs so they could be used.
it would be good to have "format"s registered with IANA, this involves setting
up an IANA registry for such, which is relatively easy to accomplish, and is
the sort of thing that is placed in the IANA Considerations section of this
spec (OAuth 2.0).
Then, the spec for the OAuth SAML assertion profile would specify it's "format"
value, and duly register that with the OAuth Assertion Format Registry.
=JeffH
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
