OK, I have some time to respond to this on a real computer.
Let's look at the general mechanism that oauth provides, using one use case:
A client asks an authorization server for authorization to do something.
The authorization server responds with an authorization token, which
the client is requi
I largely agree with Mike, that assertions are going to be used in a number of
places that have different naming conventions.
Is what Barry looking for a specific profile for how it would be used with the
token endpoint to authenticate a OAuth confidential client to a token endpoint
in the OAut
In some off-list mail between Mike and I, he said:
>> Was TCP a bad idea because it didn't have MTI port numbers? Would
>> it have improved TCP to add an MTI port or two?
To which I responded:
> Ports are MTI for TCP. [1] They are 16 bit values
> with a well-defined test for equality and a lit
Hi Stephen,
I disagree with you that I didn't discuss address interop in my note below. I
stated that applications built with these specifications can and should be
interoperable, but that profiling is (and should be) required to achieve
completely interoperable implementations of these specif
Hi Mike,
On 02/17/2013 08:41 PM, Mike Jones wrote:
> I've been thinking about Barry's DISCUSS for a bit. No one else has
> responded yet, so I guess I'll jump in and share my perspective.
>
> As I see it, the OAuth Assertions spec, the SAML Assertion Profile, and the
> JWT Assertion Profile a
I've been thinking about Barry's DISCUSS for a bit. No one else has responded
yet, so I guess I'll jump in and share my perspective.
As I see it, the OAuth Assertions spec, the SAML Assertion Profile, and the JWT
Assertion Profile are tools used for building applications - not applications
the
Hi all,
The OAuth assertion document has received DISCUSSes as you can
see from the data tracker at [1]. I've been chatting with
the chairs and the ADs with those DISCUSSes in the last few
days.
The main concern is that these documents do not sufficiently
specify the functionality that is neede
Hi,
On 16/02/13 17:57, William Mills wrote:
The reason to support 1.0a tokens in 2 is simply to provide a migration
path when a site has 1.0a endpoint it wants to support.
I really like the idea of having a migration path, which is very
important to have, but IMHO this approach won't work. Ap
Hi Sergey,
Am 14.02.2013 11:32, schrieb Sergey Beryozkin:
- an attempt to revoke an invalid token is now handled like a successful
revocation request (status code 200)
Does it create some precedent, meaning that while people suggest using
4xx statuses to indicate different sort of failures in t
Hi Justin,
the new revision seems to catch the state of discussion and is
consistent. Thank's for bringing this topic forward.
On your editor's not in section 4.2.: In my opinion, the 404 due to a
none-existing resource should precede the 403. I would suggest to point
out your thoughts on th
10 matches
Mail list logo
