OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] SAML deployments that use consent step?


OAuth actually mandates consent, MUST not SHOULD

Could this, given the interpretation of its relevance put forward by Josh,  preclude wider deployment?

The spec is crystal clear but I'm sure it could be 'interpreted'......

paul

Scott Cantor wrote:
Thomas Hardjono wrote on 2009-11-12:
  
I often get questions about OAUTH and SAML,
and I often respond by saying that OAUTH as a "consent-giving" protocol
(as opposed to an "authentication" protocol).
    

I think OAuth is a protocol for issuing combined authentication and
authorization tokens in one step, but like most "token" carriers, it really
doesn't specify how the token is interpreted. It gets used for pure
authentication as well as the more typical delegated authorization scenario.
Same goes for SAML at times. It's all in how you look at it.

  
That is (using the OAUTH spec use-case), a user gives consent to RitzPhoto
to download/print a JPEG file from the user's Flickr account.
    

Yes, but that consent takes the form of a token that the consumer uses to
authenticate itself to the service with some set of implied access rights.

  
I'm thinking that all the steps in OAUTH can be expressed
in SAML (right?)
    

Yes. OAuth "classically" assumes that the token issuer and the service are
the same thing, and SAML assumes they're probably different, which implies a
standard token format and the notion of formalized SubjectConfirmation to
communicate from the issuer to the service what the consumer has to do to
use the token.

Note that OAuth also includes a lot of orthogonal material on securing HTTP
messages that properly have nothing to do with the protocol pattern itself.
 
-- Scott



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 


  


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]