If you look at my manuscript of the Artifact Binding (<a href="http://www.sakimura.org/specs/ab/1.0">http://www.sakimura.org/specs/ab/1.0</a> ) , it is clear that the Artifact is created and consumed by OP/AuthzServer and is opaque to RP/WebAppClient. It has no restriction other than that it should be below 400 bytes. (NB: It is much bigger than SAML's 30bytes limit). <div>
<br></div><div>Or, if you are talking about the Access Token in fig. 1 of <a href="http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/">http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/</a> , then, it is also completely opaque. It does not even have the size limit. Only the condition is that AuthzServer and Resource has the common understanding of what it is. <br>
<div><br></div><div>=nat<br><div><br></div><div><br><div class="gmail_quote">On Thu, Feb 11, 2010 at 7:56 AM, John Bradley <span dir="ltr"><<a href="mailto:john.bradley@wingaa.com">john.bradley@wingaa.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div style="word-wrap:break-word">In principal it would work. The only downside is that the artifact/token might be smaller if it were a simple SHA256 XORd with the association secret or something like that. <div>
<br></div><div>I like the concept in principal if it doesn't compromise the ability to have a small response via GET.</div><div><br></div><div>I had questions around the token format returned by the protected resource.(artifact resolution)</div>
<div><br></div><div>John B.</div><div><br><div><div><div></div><div class="h5"><div>On 2010-02-10, at 7:27 PM, Allen Tom wrote:</div><br></div></div><blockquote type="cite"><div><div></div><div class="h5"><div>
<font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">+ [specs@openid]<br>
<br>
Nat – this is exactly what I had in mind. In many ways Oauth and Oauth-WRAP are similar to artifact binding – the user approves a token, which is then passed back to the RP via a browser redirect. The token is then used by the RP to make web service calls on the OP to access a Protected Resource.<br>
<br>
The token is kind of like an artifact, and the Protected Resource can be an OpenID assertion.<br>
<br>
Would we be able to combine the OpenID Artifact Binding Extension with OAuth WRAP? If so, that would be great.<br>
<br>
Allen<br>
<br>
<br>
On 2/8/10 7:29 PM, "Nat Sakimura" <<a>sakimura@gmail.com</a>> wrote:<br>
<br>
</span></font><blockquote type="cite"><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Hi<br>
<br>
I was wondering if we could define an Artifact Binding/Mobile Profile for Wrap. <br>
<br>
The way I would do is pretty simple because Wrap Web App Profile is an Artifact Binding to some extent. <br>
Just send Verification Code Request directly from WebAppClient to AuthzServer <br>
and get an Artifact back and bring that to AuthzServer through UA. <br>
After PoP, another artifact is created at AuthzServer and <br>
it is brough back to the WebAppClient through UA redirect. <br>
Then, the verification Code Response can be obtained from AuthzServer directly using the artifact. <br>
The rest is the same. <br>
<br>
I created an blog entry with pretty diagram at <br>
<a href="http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/" target="_blank">http://www.sakimura.org/en/modules/wordpress/oauth-wrap-mobile-web-app-profile/</a><br>
<br>
It may be easier to see the page instead of the above description. <br>
<br>
(Instead of using response artifact, Verification Code Response can be sent directly, <br>
but then we would be introducing AuthzServer -> WebAppClient communication, which would have <br>
some implication on firewall configuration.) <br>
<br>
For those of you who say that "Artifact is Complex", see the original Web App Profile here: <br>
<br>
<a href="http://www.sakimura.org/en/modules/wordpress/oauth-wrap-web-app-profile-summary/" target="_blank">http://www.sakimura.org/en/modules/wordpress/oauth-wrap-web-app-profile-summary/</a><br>
<br>
It is almost identical. <br>
<br>
Added value is that is is more "mobile" friendly, and is actually more secure if the <br>
Request Artifact and Response Artifact (wrap_verification_code) is generated cryptographically<br>
strongly. <br>
<br>
What would you think? <br>
</span></font></blockquote>
</div></div></div>
_______________________________________________<br>specs mailing list<br><a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</blockquote></div><br></div></div><br>_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en">http://twitter.com/_nat_en</a><br>
</div></div></div>