<HTML>
<HEAD>
<TITLE>Re: [WRAP] Wrap Artifact Binding/Mobile Profile</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>+ [specs@openid]<BR>
<BR>
Nat – this is exactly what I had in mind. In many ways Oauth and Oauth-WRAP are similar to artifact binding – the user approves a token, which is then passed back to the RP via a browser redirect. The token is then used by the RP to make web service calls on the OP to access a Protected Resource.<BR>
<BR>
The token is kind of like an artifact, and the Protected Resource can be an OpenID assertion.<BR>
<BR>
Would we be able to combine the OpenID Artifact Binding Extension with OAuth WRAP? If so, that would be great.<BR>
<BR>
Allen<BR>
<BR>
<BR>
On 2/8/10 7:29 PM, "Nat Sakimura" <<a href="sakimura@gmail.com">sakimura@gmail.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi<BR>
<BR>
I was wondering if we could define an Artifact Binding/Mobile Profile for Wrap. <BR>
<BR>
The way I would do is pretty simple because Wrap Web App Profile is an Artifact Binding to some extent. <BR>
Just send Verification Code Request directly from WebAppClient to AuthzServer <BR>
and get an Artifact back and bring that to AuthzServer through UA. <BR>
After PoP, another artifact is created at AuthzServer and <BR>
it is brough back to the WebAppClient through UA redirect. <BR>
Then, the verification Code Response can be obtained from AuthzServer directly using the artifact. <BR>
The rest is the same. <BR>
<BR>
I created an blog entry with pretty diagram at <BR>
<a href="http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/">http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/</a><BR>
<BR>
It may be easier to see the page instead of the above description. <BR>
<BR>
(Instead of using response artifact, Verification Code Response can be sent directly, <BR>
but then we would be introducing AuthzServer -> WebAppClient communication, which would have <BR>
some implication on firewall configuration.) <BR>
<BR>
For those of you who say that "Artifact is Complex", see the original Web App Profile here: <BR>
<BR>
<a href="http://www.sakimura.org/en/modules/wordpress/oauth-wrap-web-app-profile-summary/">http://www.sakimura.org/en/modules/wordpress/oauth-wrap-web-app-profile-summary/</a><BR>
<BR>
It is almost identical. <BR>
<BR>
Added value is that is is more "mobile" friendly, and is actually more secure if the <BR>
Request Artifact and Response Artifact (wrap_verification_code) is generated cryptographically<BR>
strongly. <BR>
<BR>
What would you think? <BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>