Hi folks, I've gone over draft-ietf-oauth-token-exchange-12 and things seem generally OK. I do still have one remaining concern, which is about the actor claim. Specifically, what is the RP supposed to do when they encounter it? This seems kind of underspecified.
In particular: 1. What facts am I supposed to know here? Merely that everyone in the chain signed off on the next person in the chain acting as them? 2. Am I just supposed to pretend that the person presenting the token is the identity at the top of the chain? Say I have the delegation A -> B -> C, and there is some resource which B can access but A and C cannot, should I give access? I think the first question definitely needs an answer. The second question I guess we could make not answer, but it's pretty hard to know how to make a system with this left open. -Ekr
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
