Yes, the drafts are expired, but that's largely because there hasn't
been enough traction in the IETF to push them forward yet. It doesn't
mean that the mechanisms in them don't work though, and if we can get
more support behind them (which includes implementations) we can
eventually put them into full fledged standards.
-- Justin
On 07/19/2013 11:24 AM, Manfred Steyer wrote:
Hi Justin,
thanks for this answer. Those drafts are really what I was looking for
(I've discovered them yesterday), but unfortunately, it seems like
they are expired and it doesn't seem that there is a replacement that
is generally accepted.
Do I see that right?
Perhaps OpenId Connect gives us a generally accepted way to do such
things in a "REST-friedly" way. While the OpenId Connect Specs [1]
doesn't explicitly mention delegation-scenarios like ActAs in SAML it
seems to respect such scenarios in a subtle way by the use of the
id_token_hint-parameter, which allows to authenticate using an
existing token. In addition to that, it allows for scenarios where the
requestor of the token isn't the audience by specifying the azp claim.
And one can include custom claims, which can be used for authorisation.
What do you think about that?
Wishes,
Manfred
[1] http://openid.net/specs/openid-connect-basic-1_0.html
*Von:*Justin Richer [mailto:jric...@mitre.org]
*Gesendet:* Freitag, 19. Juli 2013 16:52
*An:* Manfred Steyer
*Cc:* oauth@ietf.org
*Betreff:* Re: [OAUTH-WG] SAML-like ActAs
While I won't profess to be proficient at SAML, I can say that there
have been a couple tries at defining a "chained delegation" grant
extension:
http://tools.ietf.org/html/draft-richer-oauth-chain-00
http://tools.ietf.org/html/draft-hunt-oauth-chain-01
We've deployed the first one with a couple projects here and it works
pretty well, especially with structured tokens and token
introspection. It might not be a drop-in replacement, but many times
looking at a SAML problem with OAuth requires rethinking and reframing
the problem a bit, just like JSON isn't going to be a drop-in
replacement for XML.
-- Justin
On 07/19/2013 06:15 AM, Manfred Steyer wrote:
Hi,
are there plans for supporting delegation-styles like ActAs or
OnBehalfOf in SAML?
If this was possible, a resource server could delegate a subset of
the delegated rights to another resource server. This could be a
very important thing, when one wants to use OAuth 2 within an
enterprise-environment.
I know, that OAuth 2 has been created for web-scenarios, but it's
a fact that OAuth 2 is used as a "REST-friedly" alternative to
WS-* in the area of service-security.
Would it be the right way, to define an Extension Grants for such
a scenario?
Wishes,
Manfred
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
