This draft is a proposed alternate proposal for draft-ietf-oauth-discovery. As such, it contains the same registry for OAuth Config Metadata as the authors believe that both solutions are not required, or depending on WG discussion they will be merged. The intent is to provide a simple complete draft for consideration.
How it works... Given that a client has previously discovered an OAuth protected resource, the bound configuration method allows a client to return the configuration for an oauth authorization server that can issue tokens for the resource URI specified by the client. The AS is not required to be in the same domain. The AS is however required to know if it can issue tokens for a resource service (which presumes some agreement exists on tokens etc). The draft does not require that the resource exist (e.g. for unconfigured or new user based resources). It only requires that the AS service provider agrees it can issue tokens. From a security perspective, returning the OAuth service configuration for a specified resource URI serves to confirm the client is in possession of a valid resource URI ensuring the client has received a valid set of endpoints for the resource and the associated oauth services. I propose that the WG consider the alternate draft carefully as well as other submissions and evaluate the broader discovery problem before proceeding with WGLC on OAuth Discovery. Thanks! Phil @independentid www.independentid.com <http://www.independentid.com/>phil.h...@oracle.com <mailto:phil.h...@oracle.com> > Begin forwarded message: > > From: internet-dra...@ietf.org > Subject: New Version Notification for draft-hunt-oauth-bound-config-00.txt > Date: March 13, 2016 at 3:53:37 PM PDT > To: "Phil Hunt" <phil.h...@yahoo.com>, "Anthony Nadalin" > <tony...@microsoft.com>, "Tony Nadalin" <tony...@microsoft.com> > > > A new version of I-D, draft-hunt-oauth-bound-config-00.txt > has been successfully submitted by Phil Hunt and posted to the > IETF repository. > > Name: draft-hunt-oauth-bound-config > Revision: 00 > Title: OAuth 2.0 Bound Configuration Lookup > Document date: 2016-03-13 > Group: Individual Submission > Pages: 22 > URL: > https://www.ietf.org/internet-drafts/draft-hunt-oauth-bound-config-00.txt > Status: > https://datatracker.ietf.org/doc/draft-hunt-oauth-bound-config/ > Htmlized: https://tools.ietf.org/html/draft-hunt-oauth-bound-config-00 > > > Abstract: > This specification defines a mechanism for the client of an OAuth 2.0 > protected resource service to obtain the configuration details of an > OAuth 2.0 authorization server that is capable of authorizing access > to a specific resource service. The information includes the OAuth > 2.0 component endpoint location URIs and as well as authorization > server capabilities. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
