Hi Brian,
The assertion framework defines the Issuer as:
Issuer The unique identifier for the entity that issued the
assertion. Generally this is the entity that holds the key
material used to generate the assertion. The issuer may be either
an OAuth client (when assertions are self-issued) or a third party
token service.
I was wondering why it has to be either the client or a third party
token service.
Conceptually, it could be any token service (functionality) residing in any of
the stakeholders (Resource Owner, OAuth Client, Authorization Server, or
a third party).
I would appreciate if you could clarify why is the case.
Best,
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
