Re: [OAUTH-WG] JWT Token on-behalf of Use case

Tue, 07 Jul 2015 12:59:42 -0700 

I’ll write a note later today describing how the just-published update that 
makes the Token Exchange draft token-type agnostic also enables it to be used 
in fully “OAuthy” cases – where some of the tokens used are OAuth access tokens 
or refresh tokens.

(Right now I’m writing up the changes made to 
draft-ietf-oauth-proof-of-possession, then will get to the JWK Thumbprint and 
Token Exchange write-ups…)

                                                                Cheers,
                                                                -- Mike

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Justin Richer
Sent: Tuesday, July 07, 2015 12:52 PM
To: Kathleen Moriarty
Cc: <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT Token on-behalf of Use case

Kathleen,

I agree that Brian’s approach covers the use case that drove my original draft 
and effectively subsumes my approach.

My standing contention with the document as it stands is and has always been 
that it’s lacking a general syntactical approach and it isn’t very OAuth-y. I 
would love to see a productive conversation on this front.

 — Justin

On Jul 7, 2015, at 3:43 PM, Kathleen Moriarty 
<kathleen.moriarty.i...@gmail.com<mailto:kathleen.moriarty.i...@gmail.com>> 
wrote:

I'm just catching up on this tread, but would appreciate an in-room discussion 
on this topic that doesn't assume the adopted draft has the agreed upon 
approach as I am not reading that there is consensus on that approach in this 
thread at all.

Could we see presentations on Mike's draft and Brian's?  Justin, do you agree 
that Brian's draft covers the use case in our draft as was implied in this 
thread?

I'd like to see a discussion guided by the chairs to see if we can find a 
go-forward plan.  There seems to be differing opinions and maybe a pull towards 
simpler approaches that extend Oauth.

Thank you.

On Tue, Jul 7, 2015 at 3:18 PM, Sam Hartman 
<hartmans-i...@mit.edu<mailto:hartmans-i...@mit.edu>> wrote:
Speaking as someone who is reasonably familiar with Kerberos and the
general concepts involved, I find both Microsoft/Kerberos technology
((constrained delegation/protocol transition) and the ws-trust text
horribly confusing and would recommend against all of the above as
examples of clarity.
After several years I've finally gotten to a point where I understand
the Kerberos terms, but that's simply by using them regularly, not
because there was clarity.


This may be a case where new terminology is worthwhile if you can find
something that multiple people (especially new readers not overly
familiar with the concepts) find to be clear.

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--

Best regards,
Kathleen


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to