+1 > 20 jan 2016 kl. 23:07 skrev John Bradley <ve7...@ve7jtb.com>: > > So if this is scoped to be a registry for the values of a JWT claim then it > is fine. > We should discourage people from thinking that it is part of the OAuth > protocol vs JWT claims. > > John B. > >> On Jan 20, 2016, at 6:29 PM, Mike Jones <michael.jo...@microsoft.com> wrote: >> >> The primary purpose of the specification is to establish a registry for >> "amr" JWT claim values. This is important, as it increases interoperability >> among implementations using this claim. >> >> It's a fair question whether "requested_amr" should be kept or dropped. I >> agree with John and James that it's bad architecture. I put it in the -00 >> individual draft to document existing practice. I suspect that should the >> draft is adopted by the working group as a starting point, one of the first >> things the working group will want to decide is whether to drop it. I >> suspect that I know how this will come out and I won't be sad, >> architecturally, to see it go. >> >> As to whether this belongs in the OAuth working group, long ago it was >> decided that JWT and JWT claim definitions were within scope of the OAuth >> working group. That ship has long ago sailed, both in terms of RFC 7519 and >> it continues to sail, for instance, in draft-ietf-oauth-proof-of-possession, >> which defines a new JWT claim, and is in the RFC Editor Queue. Defining a >> registry for values of the "amr" claim, which is registered in the >> OAuth-established registry at http://www.iana.org/assignments/jwt, is >> squarely within the OAuth WG's mission for the creation and stewardship of >> JWT. >> >> -- Mike >> >> -----Original Message----- >> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley >> Sent: Wednesday, January 20, 2016 12:44 PM >> To: Justin Richer <jric...@mit.edu> >> Cc: <oauth@ietf.org> <oauth@ietf.org> >> Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference >> Values >> >> I see your point that it is a fine line reporting how a person authenticated >> to a Authorization endpoit (it might be by SAML etc) and encouraging people >> to use OAuth for Authentication. >> >> We already have the amr response in connect. The only thing really missing >> is a registry. Unless this is a sneaky way to get requested_amr into >> Connect? >> >> John B. >>> On Jan 20, 2016, at 5:37 PM, Justin Richer <jric...@mit.edu> wrote: >>> >>> Just reiterating my stance that this document detailing user authentication >>> methods has no place in the OAuth working group. >>> >>> — Justin >>> >>>> On Jan 19, 2016, at 6:48 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> >>>> wrote: >>>> >>>> Hi all, >>>> >>>> this is the call for adoption of Authentication Method Reference >>>> Values, see >>>> https://tools.ietf.org/html/draft-jones-oauth-amr-values-03 >>>> >>>> Please let us know by Feb 2nd whether you accept / object to the >>>> adoption of this document as a starting point for work in the OAuth >>>> working group. >>>> >>>> Note: The feedback during the Yokohama meeting was inconclusive, >>>> namely >>>> 9 for / zero against / 6 persons need more information. >>>> >>>> You feedback will therefore be important to find out whether we >>>> should do this work in the OAuth working group. >>>> >>>> Ciao >>>> Hannes & Derek >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
