[OAUTH-WG] assertion, client_assertion_type and client_assertion
Marius Scurtescu <mscurtescu@google.com> Sun, 30 January 2011 22:27 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 910113A6881 for <oauth@core3.amsl.com>; Sun, 30 Jan 2011 14:27:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.003
X-Spam-Level:
X-Spam-Status: No, score=-104.003 tagged_above=-999 required=5 tests=[AWL=-1.026, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tk1tXXGfp0II for <oauth@core3.amsl.com>; Sun, 30 Jan 2011 14:27:24 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by core3.amsl.com (Postfix) with ESMTP id 5C88A3A6849 for <oauth@ietf.org>; Sun, 30 Jan 2011 14:27:24 -0800 (PST)
Received: from hpaq7.eem.corp.google.com (hpaq7.eem.corp.google.com [172.25.149.7]) by smtp-out.google.com with ESMTP id p0UMUZ5S008609 for <oauth@ietf.org>; Sun, 30 Jan 2011 14:30:35 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1296426635; bh=QW05pTqDzsKeXwAgFviMfVuMv28=; h=MIME-Version:From:Date:Message-ID:Subject:To:Content-Type; b=UtdF3Vl+W6mt02ygtdI4aNlfc+R/FEU+pQMKrJ8eJwF48/q9ADxCn0l9LZmX5ZeoU zjNr+zuN5Aci/Poyz6DoQ==
Received: from gwj23 (gwj23.prod.google.com [10.200.10.23]) by hpaq7.eem.corp.google.com with ESMTP id p0UMUIJL013499 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <oauth@ietf.org>; Sun, 30 Jan 2011 14:30:34 -0800
Received: by gwj23 with SMTP id 23so2821566gwj.15 for <oauth@ietf.org>; Sun, 30 Jan 2011 14:30:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:from:date:message-id:subject:to :content-type; bh=tnP2QapAYwUVnRDavg1jtMdUCT2Pqe/8SjQ2h4EJyDQ=; b=jS1QOSg7qWHFPSaW7EgUnUFWkh4QJ3fsL54GOJDK+db3EfxtwOs4qXKX78Fvl+ob2q zQUY0g50ho+eolTDVQhg==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:from:date:message-id:subject:to:content-type; b=WILrQXapGnPe5pOcYBlTmeXxGwwYqtmV/xOBC/1vfUKa5QeE5ETrtJH0f/CEZLlhoV 3UxW76LiqOrnmLQCeT9w==
Received: by 10.100.96.13 with SMTP id t13mr3454648anb.112.1296426634404; Sun, 30 Jan 2011 14:30:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.153.9 with HTTP; Sun, 30 Jan 2011 14:30:14 -0800 (PST)
From: Marius Scurtescu <mscurtescu@google.com>
Date: Sun, 30 Jan 2011 14:30:14 -0800
Message-ID: <AANLkTimcMgFuvXan75UiE0tobMMtbN2UMfV1ehkoM_z4@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Subject: [OAUTH-WG] assertion, client_assertion_type and client_assertion
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Jan 2011 22:27:25 -0000
I would like to bring up one more argument to keep the assertion, client_assertion_type and client_assertion parameters in core. If I understood correctly, the main argument to remove them from core was that they are underspecified and extensions are needed anyhow before they are useful. First of all, this is not true for client_assertion_type and client_assertion. A client can acquire assertions from an IdP that works intimately with the client. In this case the client knows how to get a client assertion and then how to present it to the Authorization Server, but it really does not need to know anything more. The IdP and the Authorization Server do need to agree on format and keys, but not the client. I agree that this is a less used use case, and that currently there are no implementations to point at (as far as I know), but there is another reason to keep these parameters in core. The assertion parameter was in core, but it was removed and now it is defined by SAML 2.0 Bearer Assertion Grant Type Profile. What will the next assertion extension do, let's say JWT? It can either re-define the assertion parameter or it can reference SAML 2.0 Bearer. Does re-defining imply registration as well? How would that work? Having JWT depend on SAML does not make much sense. While the above issue is minor, I think it would be useful if core defined these parameters as extension points. Marius
- [OAUTH-WG] assertion, client_assertion_type and c… Marius Scurtescu
- Re: [OAUTH-WG] assertion, client_assertion_type a… Eran Hammer-Lahav
- Re: [OAUTH-WG] assertion, client_assertion_type a… Brian Campbell