Phil, I read through the Chain Grant Type for OAuth 2 draft and appreciate the problem you are addressing.
We encountered the same issue when using open social gadgets with OAuth when data needs to come from more than one server. It is not user friendly to prompt an end user to log into multiple servers and a robust chaining model can help. You indicate a domain is all resource servers that share a common OAuth token service (Section 2). Is a token service actually an "authorization server" per v13 of the base OAuth 2 spec or are you referring to something else ? In Section 2.2, first two bullets, is the implication that "OAuth token services" are performing identity federation ? The spec states the method used to do this is in companion OAuth token specifications, but it isn't clear to me which token specification addresses identity federation. Which token specs/sections are you referring to as an example ?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
