[OpenID] oauth assertion bearer grant - motivation?
Peter Williams
home_pw at msn.com
Thu Jan 23 18:46:15 UTC 2014
It took me a while (and several years of lateness) to comprehend just what kind of world the classical oauth grants were designed for. One advantage of being late to the party was that I tended to get better variants, such as a grant returning a JWT bearing attributes rather than using grants that returnee guids as tokens - that had to be subsequently resolved.
So what is the “use case” of the saml2 bearer assertion grant?
I makes perfect sense that someone with a bearer assertion might swap it for a JWT, for use at APIs. And it makes perfect sense that such a saml assertion plays much the same role as a does possession of an optional renewal-token - the one native to an OAUTH handshake.
But I don't see what the “generation changing” motivation is for the scopes - that the access token returns all scopes for which tokens (with renewals) have previous been issued.
So what is the 'context’ of control being enabled here? What thing is this scope-aggregation feature working for?
Sent from Surface Pro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20140123/0501eb14/attachment.html>
More information about the general
mailing list