OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] draft: SAML 2.0 Bearer Assertion Profile for OAuth 2.0


> Who is the subject (other than just the subject) if it's not the
> resource owner?   Someone whom has been granted access by the resource
> owner.  That's delegation (or impersonation if it's not stated), isn't
> it?

What if the resource owner isn't the one doing the granting? Or what if the
grant takes the form of a static ACL, but apart from that, the grantee is
just a service that authenticates to a SAML authority, owner not involved,
gets an assertion proving who it is, and presents that to the authz server
to get its access token?

It just depends.

> And wouldn't it be most approprate to represent that delegation
> in the assertion?

Sometimes, but not always.

> I feel like there is value in specifying that the resource owner be
> expressed in some way in the assertion rather than having the authz
> server just have to figure it out based on some access grants that it
> likely doesn't know anything about.

I don't think the resource owner is a direct party to every possible
transaction, and the assertion is not generally supposed to be about the
resource, so metadata about the resource (like the owner) isn't going to be
in the assertion unless the security flow warrants that.

> OK, I just read "SAML V2.0 Condition for Delegation Restriction" and
> see how that would be generally preferable to using the
> SubjectConfirmation.  But it still seems to me that the subject is the
> resource owner and the delegation is a means to represent (and
> restrict) the entity that is actually presenting the assertion on
> behalf of the subject.

That's a (common) use case, but it isn't the only precondition to try to
access something.

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]