Torsten, have you thought about the relevance of the <saml:Issuer> for
identifying the client?
Identify if not authenticate.
On 5/13/2010 6:38 AM, Torsten Lodderstedt wrote:
In my perception, we reached consensus in the thread "Autonomous
clients and resource owners (editorial)" that the assertion flow
should support clients acting on behalf of users, not only autonomous
clients.
The specification currently states "This flow is suitable when the
client is acting autonomously or on behalf of the end-user (based on
the content of the assertion used).", which is fine with me.
Im struggling to understand how the flow handles the two required
identities, the client and the end-user. I basically see two options:
1) the assertion attests both identities. I'm not aware of any
identity framework attesting two identities in a single assertion.
2) If we assume the assertion attests the end-user's identity only,
there is the need for additional parameters used to authenticate the
client. From my point of view, the situation is similar to the
"Username and Password Flow". There, the specification defines two
credential sets (username/password and client_id/client_secret) two
prove both identities.
Therefore, I would propose to add optional client_id/client_secret
parameters (or an Authorization header) to pass the client credentials
to the assertion flow if the assertion contains the end-user identity.
Alternatively, one could add another flow to the spec, probably called
"User Assertion Flow".
Any thoughts?
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
