[WRAP] Wrap Artifact Binding/Mobile Profile

John Bradley john.bradley at wingaa.com
Wed Feb 10 22:56:41 UTC 2010 

In principal it would work.  The only downside is that the artifact/token might be smaller if it were a simple SHA256 XORd with the association secret or something like that. 

I like the concept in principal if it doesn't compromise the ability to have a small response via GET.

I had questions around the token format returned by the protected resource.(artifact resolution)

John B.

On 2010-02-10, at 7:27 PM, Allen Tom wrote:

> + [specs at openid]
> 
> Nat – this is exactly what I had in mind. In many ways Oauth and Oauth-WRAP are  similar to artifact binding – the user approves a token, which is then passed back to the RP via a browser redirect. The token is then used by the RP to make web service calls on the OP to access a Protected Resource.
> 
> The token is kind of like an artifact, and the Protected Resource can be an OpenID assertion.
> 
> Would we be able to combine the OpenID Artifact Binding Extension with OAuth WRAP? If so, that would be great.
> 
> Allen
> 
> 
> On 2/8/10 7:29 PM, "Nat Sakimura" <sakimura at gmail.com> wrote:
> 
>> Hi
>> 
>> I was wondering if we could define an Artifact Binding/Mobile Profile for Wrap. 
>> 
>> The way I would do is pretty simple because Wrap Web App Profile is an Artifact Binding to some extent. 
>> Just send Verification Code Request directly from WebAppClient to AuthzServer 
>> and get an Artifact back and bring that to AuthzServer through UA. 
>> After PoP, another artifact is created at AuthzServer and 
>> it is brough back to the WebAppClient through UA redirect. 
>> Then, the verification Code Response can be obtained from AuthzServer  directly using the artifact. 
>> The rest is the same. 
>> 
>> I created an blog entry with pretty diagram at 
>> http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/
>> 
>> It may be easier to see the page instead of the above description. 
>> 
>> (Instead of using response artifact, Verification Code Response can be sent directly, 
>>  but then we would be introducing AuthzServer -> WebAppClient communication, which would have 
>>  some implication on firewall configuration.) 
>> 
>> For those of you who say that "Artifact is Complex", see the original Web App Profile here: 
>> 
>> http://www.sakimura.org/en/modules/wordpress/oauth-wrap-web-app-profile-summary/
>> 
>> It is almost identical. 
>> 
>> Added value is that is is more "mobile" friendly, and is actually more secure if the 
>> Request Artifact and Response Artifact (wrap_verification_code) is generated cryptographically
>> strongly. 
>> 
>> What would you think? 
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100210/8886138c/attachment.htm>

More information about the specs mailing list