[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [imi] Token profile issue with AppliesTo and AudienceRestriction
David Chadwick wrote on 2009-12-15: > In this case if an RP is saying that it requests a token with an > AppliesTo, one has to assume that this means the RP wont accept ie. risk > trusting, a token that does not contain an AudienceRestriction. Thus the > latter should be mandatory, if requested, since if the RP is not > bothered either way, it need not ask for the appliesTo. Making the > AudienceRestriction optional negates the purpose of the RP asking for it It actually goes further than that. Formally, the WST is from the *client*, not the RP. The IMI profile includes the (mostly unused) option of an RP/STS injecting content into the RST using a template (the notion you're describing). But the protocol flow is that the client is requesting the token, so it's conceptually *my* requirement as the user, not the RP's. All of which is to say that's even worse practice to violate the user's wishes than the RP's. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]