[OAUTH-WG] SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 Draft -11 and OAuth 2.0 Assertion Profile Draft -02

Brian Campbell <bcampbell@pingidentity.com> Thu, 26 April 2012 20:01 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id EBED321E808D for <oauth@ietfa.amsl.com>; Thu, 26 Apr 2012 13:01:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.942
X-Spam-Status: No, score=-5.942 tagged_above=-999 required=5 tests=[AWL=0.035, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id k32V1Xha3RNZ for <oauth@ietfa.amsl.com>; Thu, 26 Apr 2012 13:01:01 -0700 (PDT)
Received: from na3sys009aog117.obsmtp.com (na3sys009aog117.obsmtp.com []) by ietfa.amsl.com (Postfix) with ESMTP id A976D21E8088 for <oauth@ietf.org>; Thu, 26 Apr 2012 13:01:00 -0700 (PDT)
Received: from mail-vb0-f43.google.com ([]) (using TLSv1) by na3sys009aob117.postini.com ([]) with SMTP ID DSNKT5mpeyRCxDtqTkK+Pxbuq6UBTzb7vD46@postini.com; Thu, 26 Apr 2012 13:01:00 PDT
Received: by vbbfq11 with SMTP id fq11so1639718vbb.2 for <oauth@ietf.org>; Thu, 26 Apr 2012 13:00:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type :x-gm-message-state; bh=Wq4qBR/g3puCLWv/U+/TaU0rCcvqtTWsabcb5cUU88A=; b=Gmj9k9yiHHyQAFrRuw21zclh9dgkS+J77vh8t45AIxxXI/YH+Kb51YZktqfx2frTZY orRQnCnjkeTaKv1Le8O1lMxLNzDDZMREydjMAnpIBEcw7+Co5Q5Rrdt2JtxDdOGB+CYv 4A2AjR4+sI238OMuN6cnhleSKwTKNjpXpzUh+98x5C9JVObwy6ul2s6SqyEVSsaIgUt8 mE8/9nfflxAm6MTFVqAF+lCurTQhjC7BIrR2aTARyVDTq9xwB2G1sgV+6j5Kklw6VScF muK2fw3YqaPrsX6NtqTqDAzwjxDscc3i9p9eW0QLpg3MgyN5sK6C+nSatVVZ2uX+PiGs f8tw==
Received: by with SMTP id bx15mr7300162vdb.31.1335470459046; Thu, 26 Apr 2012 13:00:59 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 26 Apr 2012 13:00:28 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 26 Apr 2012 14:00:28 -0600
Message-ID: <CA+k3eCRVr5GGjK_VY01tEt=UNGc0T1K1TiqORtjiRjwSpV3AbQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQl9MmL9IrxyHdUFvq8fH0SCVVnKevF8kqx1AKYi4lUHHyz2w+0/sFI2Pfhtix/g8tJEh2iq
Subject: [OAUTH-WG] SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 Draft -11 and OAuth 2.0 Assertion Profile Draft -02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Apr 2012 20:01:02 -0000

Draft -11 of "SAML 2.0 Bearer Assertion Profiles for OAuth 2.0" and
draft -02 of "OAuth 2.0 Assertion Profile" have been published. The
changes address comments raised during WGLC on the two documents that
ended earlier this week. A summary of changes is included (with links
to the comment in the mail archive when appropriate) in the document
history section of each draft. A copy of the relevant portion of the
history is also copied to the bottom of this message for convenience.
I'd like to specifically thank Mike Jones for his assistance in
getting these updates posted quickly.

The drafts are available at:




   o  Removed text about limited lifetime access tokens and the SHOULD
      NOT on issuing refresh tokens.  The text was moved to
      draft-ietf-oauth-assertions-02 and somewhat modified per

   o  Fixed typo/missing word per

   o  Added Terminology section.


   o  Added text about limited lifetime ATs and RTs per

   o  Changed the line breaks in some examples to avoid awkward
      rendering to text format.  Also removed encoded '=' padding from a
      few examples because both known derivative specs, SAML and JWT,
      omit the padding char in serialization/encoding.

   o  Remove section 7 on error responses and move that (somewhat
      modified) content into subsections of section 4 broken up by
      authn/authz per

   o  Rework the text about "MUST validate ... in order to establish a
      mapping between ..." per

   o  Change "The Principal MUST identify an authorized accessor.  If
      the assertion is self-issued, the Principal SHOULD be the
      client_id" in 6.1 per

   o  Update reference in 4.1 to point to 2.3 (rather than 3.2) of
      oauth-v2 (rather than self)

   o  Move the "Section 3 of" out of the xref to hopefully fix the link
      in 4.1 and remove the client_id bullet from 4.2 per

   o  Add ref to Section 3.3 of oauth-v2 for scope definition and remove
      some then redundant text per

   o  Change "The following format and processing rules SHOULD be
      applied" to "The following format and processing rules apply" in
      sections 6.x to remove conflicting normative qualification of
      other normative statements per

   o  Add text the client_id must id the client to 4.1 and remove
      similar text from other places per

   o  Remove the MUST from the text prior to the HTTP parameter
      definitions per

   o  Updated examples to use grant_type and client_assertion_type
      values from the OAuth SAML Assertion Profiles spec.

-- Brian