Re: [OAUTH-WG] Java / Javascript Implementation

Hi, We are making good progress on our open source Java implementation of OAuth2, as a part of RESThub (http://resthub.org) framework. Source code and unit tests : http://bitbucket.org/ilabs/resthub/src/tip/resthub-oauth2/ Documentation : http://bitbucket.org/ilabs/resthub/wiki/Security We have

Re: [OAUTH-WG] Moving the User Experience Extension draft forward

We are in support, and have implemented display - cmort On Aug 25, 2010, at 1:40 PM, "Marius Scurtescu" wrote: > David, > > Here is some feedback I received internally from Greg Robbins: > > "Having "display" as an extension is useful, though considering the > trend towards tablet devices lik

Re: [OAUTH-WG] Moving the User Experience Extension draft forward

David, Here is some feedback I received internally from Greg Robbins: "Having "display" as an extension is useful, though considering the trend towards tablet devices like the iPad, "touch" and "popup" seem orthogonal rather than mutually exclusive. It would also be nice if the client could indi

Re: [OAUTH-WG] SAML profile comments/questions from the SAML people

Again, sorry for the slow reply. On Thu, Aug 19, 2010 at 1:52 PM, Thomas Hardjono wrote: >> First, concern was expressed that restricting the assertion to only >> allow for a single element was too limiting. >> The restriction basically limits the ability of a single assertion to >> be issued fo

Re: [OAUTH-WG] SAML profile comments/questions from the SAML people

On Thu, Aug 19, 2010 at 1:41 PM, Thomas Hardjono wrote: > Apologies for the late comments (below). And apologies for my late reply. > > What about the two bullets on AuthnStatement? > > > >    o  If the assertion issuer authenticated the subject, the assertion > >       SHOULD contain a single

Re: [OAUTH-WG] Web Server Flow - receiving incoming requests

The client should be capable of redirecting the user agent to the authorization server, so the client has to be an HTTP server. The authorization server then also redirects the user agent back to the client. I agree that the description needs clarification. Especially the text "...and capable o

Re: [OAUTH-WG] Web Server Flow - receiving incoming requests

I think that the meaning here is that the client can handle the HTTP redirect back from the authorization server. Not that the authorization server is making a HTTP request directly to it. Agreed that it could be clarified. :) On Wed, Aug 25, 2010 at 9:19 AM, Stuebner, Christian (extern) < c.stue

[OAUTH-WG] Web Server Flow - receiving incoming requests

I have a question regarding draft -10, section 1.4.1 - web server flow: "The web server profile is suitable for clients capable of interacting with the end-user's user-agent (typically a web browser) and capable of receiving incoming requests from the authorization server (capable of a