[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] SAML deployments that use consent step?
OAuth actually mandates consent, MUST not SHOULD Could this, given the interpretation of its relevance put forward by Josh, preclude wider deployment? The spec is crystal clear but I'm sure it could be 'interpreted'...... paul Scott Cantor wrote: Thomas Hardjono wrote on 2009-11-12:I often get questions about OAUTH and SAML, and I often respond by saying that OAUTH as a "consent-giving" protocol (as opposed to an "authentication" protocol).I think OAuth is a protocol for issuing combined authentication and authorization tokens in one step, but like most "token" carriers, it really doesn't specify how the token is interpreted. It gets used for pure authentication as well as the more typical delegated authorization scenario. Same goes for SAML at times. It's all in how you look at it.That is (using the OAUTH spec use-case), a user gives consent to RitzPhoto to download/print a JPEG file from the user's Flickr account.Yes, but that consent takes the form of a token that the consumer uses to authenticate itself to the service with some set of implied access rights.I'm thinking that all the steps in OAUTH can be expressed in SAML (right?)Yes. OAuth "classically" assumes that the token issuer and the service are the same thing, and SAML assumes they're probably different, which implies a standard token format and the notion of formalized SubjectConfirmation to communicate from the issuer to the service what the consumer has to do to use the token. Note that OAuth also includes a lot of orthogonal material on securing HTTP messages that properly have nothing to do with the protocol pattern itself. -- Scott --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]