You cannot post messages because only members can post, and you are not currently a member.
Description:
Web Resource Authorization Protocol working group.
|
|
|
OAuth WRAP viewed as project to watch in 2010
|
| |
...OAuth WRAP (Web Resource Authorization Protocol) For a variety of situations where a developer simply wants to integrate with an API via POST the OAuth dance can a bit of a headache. OAuth WRAP is not much different than OAuth except that a client only has to pass the Access Token in the HTTP Authorization header, so it completely eliminates the need for signatures. All server-to-server WRAP calls happen via SSL. An additional benefit of eliminating signatures is that one can curl OAuth-WRAP requests without requiring any special libraries. There is an active working group fleshing out a spec and I expect to see widespread adoption of this in 2010 coming via products from the major service providers (specifically Facebook, Google, Microsoft, and Yahoo!).... more »
|
|
|
group moved to OAuth WRAP WG
|
| |
We have moved the group to OAuth WRAP WG to reflect the new and
improved name.
I tried moving everyone over to there, but Google got cranky about
adding so many people to the group all at once. Here is a link to the
new group.
[link]
-- Dick
|
|
|
Assertion Profile/ refresh token
|
| |
Hi guys,
someone brought this up in the discussion today, and I think they are right:
The assertion profile should return a refresh token (in section 5.2.4).
Here's why: chances are the assertion is a SAML or OpenID assertion that can
only be re-obtained by having the user talk to their IdP. In other profiles,... more »
|
|
|
Latest WRAP and SWT
|
| |
Attached are the latest WRAP and SWT specifications.
Changes to WRAP are adding in Client Identifier and Client Secret to the Web App profile per discussions on this list and then face to face at IIW. Other changes are grammatical and administrative (adding License section)
Allen, Brian and I will be reviewing the spec at IIW tomorrow.... more »
|
|
|
WRAP 0.9.7.0 and changes
|
| |
Changes: Renamed Delegation Token to Refresh Token. Refresh Token URL is now only used to exchange a Refresh Token for an Access Token. Makes more sense for Client to request an Access Token than a Delegation Token (Client may not need to ever use a Refresh Token) Numerous copy changes per Brian's feedback in prior email.... more »
|
|
|
Updated WRAP spec 0.9.6.0
|
| |
Complete spec except for references and security considerations. Changes since last document are grammatical, and the examples were updated to reflect spec changes. Documents have been uploaded to Google WRAP Group. -Dick
|
|
|
SWT updated to 0.9.4.2
|
| |
My Perl script had a little boo boo in it and did not have the correct HMAC output. Example fixed. Files are attached and have also been uploaded to Google Group WRAP site. -Dick
|
|
|
JSON Web Token
|
| |
Suggested changes to JSON format: Use URL Safe JSON ('-','_' instead of '+','/', and no LFs and no padding) Use dot '.' Instead of ":" as delimiter as it is URL safe Include HMAC in a second JSON that includes signature metadata rather than just appending base64 of HMAC. Makes it easy to have alternative signature methods, or support for encryption.... more »
|
|
|
SWT 0.9.4.1
|
| |
Attached is a draft of the Simple Web Token. It is also on the group page as a file. References and security considerations still TBD. Comments and suggestions welcome! -Dick
|
|
|
captcha prompts
|
| |
I've been thinking about the note that Dick sent out proposing a special error code for captcha rate limiting when a client is trying to exchange a username and password for a delegation token. This is very similar to Google's ClientLogin interface. I talked to a couple of folks here to find out how many developers have actually handled... more »
|
|
|
