You can accomplish the ActAs semantics with Assertions profile, while a bit clumsy the basics are in place, the only issue is that you don't have any way to indicate the formal semantics
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Prateek Mishra Sent: Friday, July 19, 2013 9:03 AM To: Manfred Steyer Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] SAML-like ActAs Hi Manfred, This is an area of interest to us and we have done some profiling in our implementation. Generally speaking, we work with the assertion profiles as a starting point. They allow for WS-Trust like token exchanges and (implicitly) support ActAs or OnBehalfOf. But they do need additional profiling to offer genuine interoperability in this area. https://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer/ https://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/ What use-cases do you have in mind? I am not sure I follow what you mean by "a resource server could delegate a subset of the delegated rights to another resource server". - prateek Hi, are there plans for supporting delegation-styles like ActAs or OnBehalfOf in SAML? If this was possible, a resource server could delegate a subset of the delegated rights to another resource server. This could be a very important thing, when one wants to use OAuth 2 within an enterprise-environment. I know, that OAuth 2 has been created for web-scenarios, but it's a fact that OAuth 2 is used as a "REST-friedly" alternative to WS-* in the area of service-security. Would it be the right way, to define an Extension Grants for such a scenario? Wishes, Manfred _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
