Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the client or a third party token service?

Mon, 03 Dec 2012 00:58:35 -0800 

I suppose, yes. I was reading it like that all the time.
Whether it is or not, if it is still ok, it might be better to clarify it.
Word like "third party" tends to be a bit of problem without clearly
defining.
I had similar experience in other fora.

Nat

Sent from iPad

2012/12/03 0:52、"zhou.suj...@zte.com.cn" <zhou.suj...@zte.com.cn> のメッセ�`ジ:


could be Resource owner?


 *"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofe...@nsn.com>*
发件人:  oauth-boun...@ietf.org

2012-12-03 16:49
  收件人
"ext Nat Sakimura" <sakim...@gmail.com>, "Brian Campbell" <
bcampb...@pingidentity.com>, "oauth" <oauth@ietf.org>
抄送
  主题
Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be
 either the client or a third party token service?




Hi Nat,

The current text essentially says that the assertion can either be created
by the client (in which case it is self-signed) or it can be created by
some other entity (which is then called the third party token service). So,
this third party could be the authorization server.

Ciao
Hannes


*From:* oauth-boun...@ietf.org
[mailto:oauth-boun...@ietf.org<oauth-boun...@ietf.org>]
*On Behalf Of *ext Nat Sakimura*
Sent:* Monday, December 03, 2012 10:35 AM*
To:* Brian Campbell; oauth*
Subject:* [OAUTH-WG] Assertion Framework - Why does issuer have to be
either the client or a third party token service?

Hi Brian,


The assertion framework defines the Issuer as:

   Issuer  The unique identifier for the entity that issued the
      assertion.  Generally this is the entity that holds the key
      material used to generate the assertion.  The issuer may be either
      an OAuth client (when assertions are self-issued) or a third party
      token service.

I was wondering why it has to be either the client or a third party token
service.
Conceptually, it could be any token service (functionality) residing in any
of

the stakeholders (Resource Owner, OAuth Client, Authorization Server, or
a third party).


I would appreciate if you could clarify why is the case.


Best,

-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation*
**http://nat.sakimura.org/* <http://nat.sakimura.org/>
@_nat_en
 _______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to