Re: [OAUTH-WG] WGLC on draft-ietf-oauth-saml2-bearer-03.txt

Wed, 23 Mar 2011 10:05:12 -0700 

<hat type='AD'/>

On 3/19/11 11:58 AM, Hannes Tschofenig wrote:
> Hi all,
> 
> the WGLC for the OAuth base specification has been completed and the
> authors think that this document is ready for a WGLC as well.
> 
> Hence, let us start the last call for comments on
> http://www.ietf.org/id/draft-ietf-oauth-saml2-bearer-03.txt
> 
> Please have your comments in no later than April 2nd.
> 
> Do remember to send a note in if you have read the document and have
> no other comments other than "its ready to go".
> 
> Thanks! Hannes & Blaine 

I've completed a review of this spec, the bearer token spec, and the
base spec. This is the first WGLC message I found in my inbox, so I'm
posting about this spec first. :)

Overall I think this short spec is in fine shape. I have a few small
comments.

1. The grant type is a URI at oauth.net. Is that a stable URI? Does it
need to be?

We could define a new URN parameters registry for grant types that are
defined in standards-track RFCs:

http://www.iana.org/assignments/params/params.xml

However, that might be perceived as overkill.

2. Both the SAML-bearer and v2-bearer specs borrow text from the base
spec when a reference seems better. For example, in Section 2.1 of the
SAML-bearer spec we find this:

   scope
         OPTIONAL.  The scope of the access request is expressed as a
         list of space-delimited strings.  The value is defined by the
         authorization server.  If the value contains multiple space-
         delimited strings, their order does not matter, and each string
         adds an additional access range to the requested scope.

However, that's already defined in Section 4.1.1 of the base spec:

   scope
         OPTIONAL.  The scope of the access request expressed as a list
         of space-delimited strings.  The value is defined by the
         authorization server.  If the value contains multiple space-
         delimited strings, their order does not matter, and each string
         adds an additional access range to the requested scope.

I think it would be better to reference the definitions in the base spec
so that they don't get out of sync.

3. Regarding "invalid_grant" in Section 2.3, I'll post in the thread
about a possible registry of error parameter values.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to