Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

And that Identity Provider organization could also have it's own authorization server that could act as an STS. That's all I was trying to say. I'm not sure if that would help your case. On Tue, Apr 19, 2016 at 2:19 PM, Fregly, Andrew wrote: > Brian, > > Once again, thank you for your input. Per

Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

All, I will come up with a considered response to this by tomorrow some time. This interaction has been extremely helpful! Andy From: George Fletcher mailto:gffle...@aol.com>> Organization: AOL LLC Date: Wednesday, April 20, 2016 at 1:36 PM To: Andrew Fregly mailto:afre...@verisign.com>>, John

Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

Hi Andy, Glad I guessed correctly:) If there are network or other limitations in how the client gets and uses tokens, that would be helpful in a diagram sense. As John points out in his response, not having an audience has possible security implications. If I'm following your original thinki

Re: [OAUTH-WG] Building on the protocol in the draft "OAuth 2.0 Token Exchange: An STS for the REST of Us" to include Authentication Tokens

For people using RFC 7521, 7522, 7523 they are taking an assertion and using a WS-* STS to transform it into one with the correct audience to use in 7521. I know that some people have just ignored the audience, however that can have negative security consequences. When exchanging the token yo

Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

Hi George, You fully captured one of the options we have been contemplating. I didn’t propose this flow because I was looking for a way to solve our our use case based on the existing RFCs and OpenID Connect specifications with minimal new specification required. That led me to the path describ

Re: [OAUTH-WG] Building on the protocol in the draft "OAuth 2.0 Token Exchange: An STS for the REST of Us" to include Authentication Tokens

Thank you again of your input Nat. First of all, I apologize for confusing the situation by referencing the wrong RFCs in a prior email. I transposed two digits. The RFCs I meant to reference where 7521-7523 (see below). I get that the original RFC for OAuth has the mechanism for client authen

Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

I should probably just wait for the diagram... but not wanting to wait... :) If I understand correctly, the user is going to use a client and the client will authenticate the user via some IdP using an existing method (SAML, LDAP (?), OpenID Connect, etc). The desire is to take that response a