[WG-UMA] OAuth signature state-of-the-art

Eve Maler eve at xmlgrrl.com
Wed Jul 7 15:59:03 EDT 2010


One of my action items from May to was to forward info on the proposed OAuth signature solution.  Dirk Balfanz posted the following message on June 21, occasioning a large discussion thread -- mostly positive, suggesting mostly tweaks.  Signing no longer appears in the core OAuth2 spec (note that comments on draft 09 are due tomorrow!), but would layer on top of that spec.

http://www.ietf.org/mail-archive/web/oauth/current/msg03211.html

Below is the meat of Dirk's message, to get all the relevant links conveniently into your hands.  If you have comments, whether motivated by UMA-specific needs or wider needs, feel free to comment here -- but your best bet if you're seeking changes is to contribute directly to the IETF OAuth conversation as well.

	Eve

====
I wrote something down that liberally borrows ideas from Magic Signatures, SWT, and (even the name from) JSON Web Tokens. 

Here is a short document (called "JSON Tokens") that just explains how to sign something and verify the signature:
http://docs.google.com/document/pub?id=1kv6Oz_HRnWa0DaJx_SQ5Qlk_yqs_7zNAm75-FmKwNo4

Here is an extension of JSON Tokens that can be used for signed OAuth tokens:
http://docs.google.com/document/pub?id=1JUn3Twd9nXwFDgi-fTKl-unDG_ndyowTZW8OWX9HOUU

Here is a different extension of JSON Tokens that can be used for 2-legged flows. The idea is that this could be used as a drop-in replacement for SAML assertions in the OAuth2 assertion flow:
http://docs.google.com/document/pub?id=1s4kjRS9P0frG0ulhgP3He01ONlxeTwkFQV_pCoOowzc

I also have started to write some code to implement this as a proof-of-concept. 
====

Eve Maler
http://www.xmlgrrl.com/blog
http://www.twitter.com/xmlgrrl
http://www.linkedin.com/in/evemaler

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20100707/5afa772f/attachment.html 


More information about the WG-UMA mailing list