[Openid-specs-fastfed] missing oauth_token
Matt Domsch
matt.domsch at sailpoint.com
Tue Oct 15 20:33:43 UTC 2019
Current draft section 7.2.3.1. Identity Provider Sends Registration Request omits the oauth_token which is present in the "Alice" FastFed Scenario #1A with SAML + SCIM section 9. Therefore there's no way for the AP to authenticate any future SCIM calls to the IDP. Was this intentionally omitted?
"oauth_token": {
"access_token": "MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3",
"token_type": "bearer",
"refresh_token": "IwOGYzYTlmM2YxOTQ5MGE3YmNmMDFkNTVk",
"expires_in": 3600
}
Likewise, spec 7.2.3.3 Application Provider Sends Registration Response omits oauth_token which "Alice" step 11 has. This is even more necessary, as it's likely that the IDP (or another provider) would need it to place provisioning calls to the AP.
Alternately, oauth_token could go into spec 6.6 OAuth Access Tokens, which is a subset of 7.2.3.1 and 7.2.3.3, and which references RFC7523 where one would make use of such. As long as it's in here somewhere.
Thanks,
Matt
Matt Domsch
VP, Lead Corporate Architect
matt.domsch at sailpoint.com<mailto:matt.domsch at sailpoint.com>
mobile: 512-981-6486
www.sailpoint.com<http://www.sailpoint.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20191015/b245f638/attachment.html>
More information about the Openid-specs-fastfed
mailing list