Prabath Siriwardena <prab...@wso2.com> 写于 2013-01-21 15:27:57: > I guess that is a pattern used many scenarios. Requesting client can > suggest - but its up to the AS to honor it or not...
Not exactly. For example, RS supports two token types, one is bear token, another is holer-of-key which is assumed more secure than the first one. RS realy wants the seconde type, but (a dishonest) client, always choosing the weakest, requests the first one. what is the meaning for client to specify the token type? > > Thanks & regards, > -prabath > On Mon, Jan 21, 2013 at 12:43 PM, <zhou.suj...@zte.com.cn> wrote: > > William Mills <wmills_92...@yahoo.com> 写于 2013-01-21 13:44:45: > > > > Not a problem for the client to request a type, but it may not get it. > > I don't object client requesting a type, but I think it is > meaningful only when the requested type is specified by a RS, > and client just relay that request to AS. > > > > > From: "zhou.suj...@zte.com.cn" <zhou.suj...@zte.com.cn> > > To: Prabath Siriwardena <prab...@wso2.com> > > Cc: "oauth@ietf.org WG" <oauth@ietf.org>; William Mills > > <wmills_92...@yahoo.com> > > Sent: Sunday, January 20, 2013 9:38 PM > > Subject: Re: Re: Re: [OAUTH-WG] Client cannot specify the token > type it needs > > > > > > Well, if RS could specify token type, then Client could transfer it to AS, > > I think, but it is not a good idea for client itself to specify the > > token type. > > > > > > Prabath Siriwardena <prab...@wso2.com> 写于 2013-01-21 13:29:05: > > > > > Think about a distributed setup. You have single Authorization > > > Server and multiple Resource Servers. > > > > > > Although OAuth nicely decouples AS from RS - AFAIK there is no > > > standard established for communication betweens AS and RS - how to > > > declare metadata between those. > > > > > > Also there can be Resource Servers which support multiple token > > > types. It could vary on APIs hosted in a given RS. > > > > > > Thanks & regards, > > > -Prabath > > > > > > On Mon, Jan 21, 2013 at 10:48 AM, <zhou.suj...@zte.com.cn> wrote: > > > > > > The token type shoulbe decided by resource server, which consumes > > > access token. > > > Client just re-tell the requested token type to AS. > > > Client should not specify the token type. > > > > > > > > > oauth-boun...@ietf.org 写于 2013-01-21 13:08:39: > > > > > > > > > > This is true. It's possible for the AS to vary it's behavior on > > > > scope name, but it's presumed the AS and RS have an agreement of > > > > what token type is in play. Likely a good extension to the spec. > > > > > > > > > > > From: Prabath Siriwardena <prab...@wso2.com> > > > > To: "oauth@ietf.org WG" <oauth@ietf.org> > > > > Sent: Sunday, January 20, 2013 7:28 PM > > > > Subject: [OAUTH-WG] Client cannot specify the token type it needs > > > > > > > > > > > Although token type is extensible according to the OAuth core > > > > specification - it is fully governed by the Authorization Server. > > > > > > > > There can be a case where a single AS supports multiple token types > > > > based on client request. > > > > > > > > But currently we don't have a way the client can specify (or at > > > > least suggest) which token type it needs in the OAuth access > > tokenrequest ? > > > > > > > > Is this behavior intentional ? or am I missing something... > > > > > > > > Thanks & Regards, > > > > Prabath > > > > > > > > Mobile : +94 71 809 6732 > > > > > > > > http://blog.facilelogin.com > > > > http://RampartFAQ.com > > > > > > > > _______________________________________________ > > > > OAuth mailing list > > > > OAuth@ietf.org > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > _______________________________________________ > > > > OAuth mailing list > > > > OAuth@ietf.org > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > > > -- > > > Thanks & Regards, > > > Prabath > > > > > > Mobile : +94 71 809 6732 > > > > > > http://blog.facilelogin.com > > > http://RampartFAQ.com > > > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
