Hi Paul, others, On Mon, Aug 25, 2014 at 03:49:56PM +0200, Paul Millar wrote:
Hi Alan,
On 25/08/14 07:13, Sill, Alan wrote:
Thought you would be interested in the following link, from the blog of Mike Jones of Microsoft.
Topic: There's now an OAuth working group draft of the OAuth 2.0 Token Exchange specification, which provides Act-As and On-Behalf-Of functionality for OAuth 2.0. This functionality is deliberately modelled on the same functionality present in WS-Trust.
Interesting, although (to me) a little odd: OAuth is already about delegation, so providing a delegation framework within a delegation framework seems redundant.
Another odd point is that the RP needs to know (a priori) the identity it wishes which, in general, it doesn't (c.f. OpenID Connect).
Maybe I'm wrong, but I would think that an interesting use-case is multi-step delegation. For single-step delegation standard OAuth2.0 is fine. But how should a resource server then do a further delegation step, so RP-1 want to request access to RP-2 on behalf of user. It could try to (mis)use the original token, but it's much better to require a new token. That means it must request a token on behalf of the original user. In that case, it also would know which identity to use, right? Or do I misunderstand your second remark? Cheers, Mischa
So, the use-case seems to be RP needs a credential (X.509, Kerberos, ...) to communicate with some server that doesn't support OAuth but trusts the server issuing the credential --- perhaps for legacy services or ones that don't provide a web front-end?
Anyhow, thanks for the pointer.
Cheers,
Paul. _______________________________________________ Idel-wg mailing list Idel-wg@ogf.org https://www.ogf.org/mailman/listinfo/idel-wg
-- Nikhef Room H155 Science Park 105 Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msalle@nikhef.nl __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..