I agree (kind of anyway) with Torsten. Discovery based on the user id of the resource owner doesn't necessarily make sense for general OAuth cases.
Also restating what I already posted about the draft: Would it be worth considering constraining the scope of this document to just the publication and content of AS metadata? And keep the actual discovery of that metadata, be it from the RS or the user id or what have you, out of scope or in a different document(s)? The former is relatively well understood and provides some value. While the ideas about how the the latter should work seem to have a pretty broad range. On Tue, Jan 26, 2016 at 12:35 PM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > Hi, > > I support the adoption of this document as starting point for our work > towards OAuth discovery. > > Restating what I already posted after the last IETF meeting: It seems the > document assumes the AS can always be discoverd using the user id of the > resource owner. I think the underlying assumption is resource servers > accept access token of different (any?) user specific AS (and OP)? From my > perspective, RSs nowadays typically trust _the_ AS of their security > domain/ecosystem and all resource owners need to have an user account with > this particular AS. So I would assume the process to start at the RS. I > think the spec needs to cover the latter case as well. > > kinds regards, > Torsten. > > > Am 19.01.2016 um 12:48 schrieb Hannes Tschofenig: > > Hi all, > > this is the call for adoption of OAuth 2.0 Discovery, > seehttps://tools.ietf.org/html/draft-jones-oauth-discovery-00 > > Please let us know by Feb 2nd whether you accept / object to the > adoption of this document as a starting point for work in the OAuth > working group. > > Note: If you already stated your opinion at the IETF meeting in Yokohama > then you don't need to re-state your opinion, if you want. > > The feedback at the Yokohama IETF meeting was the following: 19 for / > zero against / 4 persons need more information. > > Ciao > Hannes & Derek > > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
