<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">In principal it would work. The only downside is that the artifact/token might be smaller if it were a simple SHA256 XORd with the association secret or something like that. <div><br></div><div>I like the concept in principal if it doesn't compromise the ability to have a small response via GET.</div><div><br></div><div>I had questions around the token format returned by the protected resource.(artifact resolution)</div><div><br></div><div>John B.</div><div><br><div><div>On 2010-02-10, at 7:27 PM, Allen Tom wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>
<font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">+ [specs@openid]<br>
<br>
Nat – this is exactly what I had in mind. In many ways Oauth and Oauth-WRAP are similar to artifact binding – the user approves a token, which is then passed back to the RP via a browser redirect. The token is then used by the RP to make web service calls on the OP to access a Protected Resource.<br>
<br>
The token is kind of like an artifact, and the Protected Resource can be an OpenID assertion.<br>
<br>
Would we be able to combine the OpenID Artifact Binding Extension with OAuth WRAP? If so, that would be great.<br>
<br>
Allen<br>
<br>
<br>
On 2/8/10 7:29 PM, "Nat Sakimura" <<a href="x-msg://991/sakimura@gmail.com">sakimura@gmail.com</a>> wrote:<br>
<br>
</span></font><blockquote type="cite"><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Hi<br>
<br>
I was wondering if we could define an Artifact Binding/Mobile Profile for Wrap. <br>
<br>
The way I would do is pretty simple because Wrap Web App Profile is an Artifact Binding to some extent. <br>
Just send Verification Code Request directly from WebAppClient to AuthzServer <br>
and get an Artifact back and bring that to AuthzServer through UA. <br>
After PoP, another artifact is created at AuthzServer and <br>
it is brough back to the WebAppClient through UA redirect. <br>
Then, the verification Code Response can be obtained from AuthzServer directly using the artifact. <br>
The rest is the same. <br>
<br>
I created an blog entry with pretty diagram at <br>
<a href="http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/">http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/</a><br>
<br>
It may be easier to see the page instead of the above description. <br>
<br>
(Instead of using response artifact, Verification Code Response can be sent directly, <br>
but then we would be introducing AuthzServer -> WebAppClient communication, which would have <br>
some implication on firewall configuration.) <br>
<br>
For those of you who say that "Artifact is Complex", see the original Web App Profile here: <br>
<br>
<a href="http://www.sakimura.org/en/modules/wordpress/oauth-wrap-web-app-profile-summary/">http://www.sakimura.org/en/modules/wordpress/oauth-wrap-web-app-profile-summary/</a><br>
<br>
It is almost identical. <br>
<br>
Added value is that is is more "mobile" friendly, and is actually more secure if the <br>
Request Artifact and Response Artifact (wrap_verification_code) is generated cryptographically<br>
strongly. <br>
<br>
What would you think? <br>
</span></font></blockquote>
</div>
_______________________________________________<br>specs mailing list<br><a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-specs<br></blockquote></div><br></div></body></html>