Re: [OAUTH-WG] OAuth discovery draft?

Hi Yaron, I think delegation is a great idea/feature that should be added or OAuth (as I suggested in the kerberos-oauth draft). In the Kerberos world, it has been a very important feature (a life saver). In your example, when Yochi wants to terminate the delegation she gave to Leon, how does

Re: [OAUTH-WG] Extensibility for OAuth?

Thanks Hannes. Great list of to-do items for the WG :) > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Tschofenig, Hannes (NSN - FI/Espoo) > Sent: Wednesday, June 23, 2010 2:08 AM > > This is probably the most important item were people wi

Re: [OAUTH-WG] OAuth discovery draft?

No objections on my part. I would rather have a smaller core spec with features that everyone agrees on. BTW, a thought for the discovery draft - RFC 2616/2617 only defines www-authenticate's semantics in the context of a 401. It's unclear from the draft what it would mean to return a www-authe

Re: [OAUTH-WG] OAuth discovery draft?

I think the core work is pretty stable now, unlike the discovery bits which (while simple) are not enjoying the same level of consensus. I think it is much more practical to propose them as a separate document and perhaps consider merging them later on when they reach an equal level of stability

Re: [OAUTH-WG] OAuth discovery draft?

I've been noodling [1] a lot about full delegation in OAuth [2] and one of the issues that came out of that was the need for discovering both the location and realm of an endpoint's token server. But at least for my use cases (which consist of walking up to a service and making an options reques

[OAUTH-WG] Scope :: Was: Extensibility for OAuth?

On 2010-06-22, at 11:07 PM, Tschofenig, Hannes (NSN - FI/Espoo) wrote: > " > scope > OPTIONAL. The scope of the access request expressed as a list > of space-delimited strings. The value of the "scope" parameter > is defined by the authorization server. If the value c

Re: [OAUTH-WG] proposal for signatures

On 22 June 2010 21:45, David Recordon wrote: > Hey Dick, in answering my questions you made my point. If keys are > managed out of band – as is done in OAuth 1.0 and what was done in the > OAuth 2.0 Core spec until signatures were extracted – then having a > key id is not needed. I certainly under

Re: [OAUTH-WG] native app support (was: Next draft)

One more question - is the technique used in production? I think you'd mentioned that it was ... if so, can you point me to the docs where it's currently used? On Jun 22, 2010, at 11:00 PM, Luke Shepard wrote: > Two points: > > 1/ I agree that it can be onerous for clients to host web pages.