A new draft of "OAuth 2.0 Token Exchange" has been published addressing review comments on the prior draft. The changes from -03 are listed here:
https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-04 o Clarified that the "resource" and "audience" request parameters can be used at the same time (via http://www.ietf.org/mail- <http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html> archive/web/oauth/current/msg15335.html <http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html>). o Clarified subject/actor token validity after token exchange and explained a bit more about the recommendation to not issue refresh tokens (via http://www.ietf.org/mail-archive/web/oauth/current/ <http://www.ietf.org/mail-archive/web/oauth/current/msg15318.html> msg15318.html <http://www.ietf.org/mail-archive/web/oauth/current/msg15318.html>). o Updated the examples appendix to use an issuer value that doesn't imply that the client issued and signed the tokens and used "Bearer" and "urn:ietf:params:oauth:token-type:access_token" in one of the responses (via http://www.ietf.org/mail- <http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html> archive/web/oauth/current/msg15335.html <http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html>). o Defined and registered urn:ietf:params:oauth:token-type:id_token, since some use cases perform token exchanges for ID Tokens and no ---------- Forwarded message ---------- From: <[email protected]> Date: Fri, Mar 4, 2016 at 12:57 PM Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-04.txt To: [email protected] Cc: [email protected] A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol of the IETF. Title : OAuth 2.0 Token Exchange: An STS for the REST of Us Authors : Michael B. Jones Anthony Nadalin Brian Campbell John Bradley Chuck Mortimore Filename : draft-ietf-oauth-token-exchange-04.txt Pages : 28 Date : 2016-03-04 Abstract: This specification defines a protocol for a lightweight HTTP- and JSON- based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-04 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-04 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
