Hi, Prabath
My question is since client-id is public, then it is a waste to get it
by granting an access-token.
And in step 2."Resource Owner grants access to a selected Client", RO
logins in to select clients to be delegated,
and RS redirects RO to AS to grant access token to client, to m
Our use-cases are pretty straightforward - customers want to perform server to
server integration tasks without passwords.
We use the SAML and JWT assertion profiles to enable them to authenticate to
our system without having a password for the service principal they're trying
to act as. Some
Yes, OpenID Connect uses the Assertions spec and the JWT Assertion Profile.
See uses of [OAuth.JWT] in
http://openid.net/specs/openid-connect-messages-1_0.html. It is used for both
client_secret_jwt and private_key_jwt client authentication. Per
http://osis.idcommons.net/wiki/Category:OC4_S
Hi Hannes,
thanks for your review and feedback. Please find my comments inline.
Am 08.10.2012 13:52, schrieb Tschofenig, Hannes (NSN - FI/Espoo):
Hi all,
I went through draft-ietf-oauth-revocation-01 to what has changed
between version -00 and -01.
A few minor comments:
Title: maybe you shou
Thanks Mike!
They say you never forget your first RFC...
On Thu, Oct 4, 2012 at 5:04 PM, Mike Jones wrote:
> Congratulations on completing the first OAuth working group RFC!!!
>
> -- Mike
>
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-
(I'm not seeing Zhou's responses to you on the list, so I don't have the other
proposal handy. Can Zhou or someone share the link?)
Your proposal seems to require that the requester/client register with the AS
(through the RS) ahead of time as well as initiating the approach to the
resource at
Hi all,
I took a look at version -06 of the assertions draft to see whether some
of the discussions had been reflected in this recent draft update.
I was hoping that there is a bit more explanation of the use case that
motivates the work. Unfortunately, the update does not contain anything
alon
Hi all,
I went through draft-ietf-oauth-revocation-01 to what has changed
between version -00 and -01.
A few minor comments:
Title: maybe you should change it from "Token Revocation" to "Revocation
of OAuth Access and Refresh Tokens" to make it a bit more informative.
The abstract is also a bi
On 2012-07-18 13:37, Alexey Melnikov wrote:
On 17/07/2012 19:01, Mike Jones wrote:
You should actually probably make that name change request to the
HTTPbis working group. I suspect that if they decide to change the
name, that we could direct the RFC editor to make the same name change
as HTTPb
