| < draft-ietf-oauth-saml2-bearer-07.txt | draft-ietf-oauth-saml2-bearer-08.txt > | |||
|---|---|---|---|---|
| B. Campbell, Ed. | B. Campbell, Ed. | |||
| Internet-Draft Ping Identity Corp. | Internet-Draft Ping Identity Corp. | |||
| Intended status: Standards Track C. Mortimore | Intended status: Standards Track C. Mortimore | |||
| Expires: February 2, 2012 Salesforce.com | Expires: February 2, 2012 Salesforce.com | |||
| Aug 2011 | Aug 2011 | |||
| SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 | SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 | |||
| draft-ietf-oauth-saml2-bearer-07 | draft-ietf-oauth-saml2-bearer-08 | |||
| Abstract | Abstract | |||
| This specification defines the use of a SAML 2.0 Bearer Assertion as | This specification defines the use of a SAML 2.0 Bearer Assertion as | |||
| means for requesting an OAuth 2.0 access token as well as for use as | means for requesting an OAuth 2.0 access token as well as for use as | |||
| a means of client authentication. | a means of client authentication. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 3, line 40 ¶ | skipping to change at page 3, line 40 ¶ | |||
| grant types to support additional clients or to provide a bridge | grant types to support additional clients or to provide a bridge | |||
| between OAuth and other trust frameworks. Finally, OAuth allows the | between OAuth and other trust frameworks. Finally, OAuth allows the | |||
| definition of additional authentication mechanisms to be used by | definition of additional authentication mechanisms to be used by | |||
| clients when interacting with the authorization server. | clients when interacting with the authorization server. | |||
| The OAuth 2.0 Assertion Profile [I-D.ietf.oauth-assertions] is an | The OAuth 2.0 Assertion Profile [I-D.ietf.oauth-assertions] is an | |||
| abstract extension to OAuth 2.0 that provides a general framework for | abstract extension to OAuth 2.0 that provides a general framework for | |||
| the use of assertions as client credentials and/or authorization | the use of assertions as client credentials and/or authorization | |||
| grants with OAuth 2.0. This specification profiles the OAuth 2.0 | grants with OAuth 2.0. This specification profiles the OAuth 2.0 | |||
| Assertion Profile [I-D.ietf.oauth-assertions] to define an extension | Assertion Profile [I-D.ietf.oauth-assertions] to define an extension | |||
| grant type that usues a SAML 2.0 Bearer Assertion to request an OAuth | grant type that uses a SAML 2.0 Bearer Assertion to request an OAuth | |||
| 2.0 access token as well as for use as client credentials. The | 2.0 access token as well as for use as client credentials. The | |||
| format and processing rules for the SAML Assertion defined in this | format and processing rules for the SAML Assertion defined in this | |||
| specification are intentionally similar, though not identical, to | specification are intentionally similar, though not identical, to | |||
| those in the Web Browser SSO Profile defined in SAML Profiles | those in the Web Browser SSO Profile defined in SAML Profiles | |||
| [OASIS.saml-profiles-2.0-os]. This specification is reusing, to the | [OASIS.saml-profiles-2.0-os]. This specification is reusing, to the | |||
| extent reasonable, concepts and patterns from that well-established | extent reasonable, concepts and patterns from that well-established | |||
| Profile. | Profile. | |||
| This document defines how a SAML Assertion can be used to request an | This document defines how a SAML Assertion can be used to request an | |||
| access token when a client wishes to utilize an existing trust | access token when a client wishes to utilize an existing trust | |||
| skipping to change at page 4, line 33 ¶ | skipping to change at page 4, line 33 ¶ | |||
| 2. HTTP Parameter Bindings for Transporting Assertions | 2. HTTP Parameter Bindings for Transporting Assertions | |||
| The OAuth 2.0 Assertion Profile [I-D.ietf.oauth-assertions] defines | The OAuth 2.0 Assertion Profile [I-D.ietf.oauth-assertions] defines | |||
| generic HTTP parameters for transporting assertions during | generic HTTP parameters for transporting assertions during | |||
| interactions with a token endpoint. This section defines the values | interactions with a token endpoint. This section defines the values | |||
| of those parameters for use with SAML 2.0 Bearer Assertions. | of those parameters for use with SAML 2.0 Bearer Assertions. | |||
| 2.1. Using SAML Assertions as Authorization Grants | 2.1. Using SAML Assertions as Authorization Grants | |||
| To use a SAML Bearer Assertion as an authorization grant, use the | To use a SAML Bearer Assertion as an authorization grant, use the | |||
| following paramter values and encodings. | following parameter values and encodings. | |||
| The value of "grant_type" parameter MUST be | The value of "grant_type" parameter MUST be | |||
| "urn:ietf:params:oauth:grant-type:saml2-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer" | |||
| The value of the "assertion" parameter MUST contain a single SAML 2.0 | The value of the "assertion" parameter MUST contain a single SAML 2.0 | |||
| Assertion. The SAML Assertion XML data MUST be encoded using | Assertion. The SAML Assertion XML data MUST be encoded using | |||
| base64url, where the encoding adheres to the definition in Section 5 | base64url, where the encoding adheres to the definition in Section 5 | |||
| of RFC4648 [RFC4648] and where the padding bits are set to zero. To | of RFC4648 [RFC4648] and where the padding bits are set to zero. To | |||
| avoid the need for subsequent encoding steps (by "application/ | avoid the need for subsequent encoding steps (by "application/ | |||
| x-www-form-urlencoded" [W3C.REC-html401-19991224], for example), the | x-www-form-urlencoded" [W3C.REC-html401-19991224], for example), the | |||
| base64url encoded data SHOULD NOT be line wrapped and pad characters | base64url encoded data SHOULD NOT be line wrapped and pad characters | |||
| ("=") SHOULD NOT be included. | ("=") SHOULD NOT be included. | |||
| 2.2. Using SAML Assertions for Client Authentication | 2.2. Using SAML Assertions for Client Authentication | |||
| To use a SAML Bearer Assertion for client authentication grant, use | To use a SAML Bearer Assertion for client authentication grant, use | |||
| the following paramter values and encodings. | the following parameter values and encodings. | |||
| The value of "client_assertion_type" parameter MUST be | The value of "client_assertion_type" parameter MUST be | |||
| "urn:ietf:params:oauth:client-assertion-type:saml2-bearer" | "urn:ietf:params:oauth:client-assertion-type:saml2-bearer" | |||
| The value of the "client_assertion" parameter MUST contain a single | The value of the "client_assertion" parameter MUST contain a single | |||
| SAML 2.0 Assertion. The SAML Assertion XML data MUST be encoded | SAML 2.0 Assertion. The SAML Assertion XML data MUST be encoded | |||
| using base64url, where the encoding adheres to the definition in | using base64url, where the encoding adheres to the definition in | |||
| Section 5 of RFC4648 [RFC4648] and where the padding bits are set to | Section 5 of RFC4648 [RFC4648] and where the padding bits are set to | |||
| zero. To avoid the need for subsequent encoding steps (by | zero. To avoid the need for subsequent encoding steps (by | |||
| "application/x-www-form-urlencoded" [W3C.REC-html401-19991224], for | "application/x-www-form-urlencoded" [W3C.REC-html401-19991224], for | |||
| skipping to change at page 11, line 19 ¶ | skipping to change at page 11, line 19 ¶ | |||
| o Change controller: IETF | o Change controller: IETF | |||
| o Description: [[this document]] | o Description: [[this document]] | |||
| Appendix A. Contributors | Appendix A. Contributors | |||
| The following people contributed wording and concepts to this | The following people contributed wording and concepts to this | |||
| document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran | document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran | |||
| Hammer-Lahav, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten | Hammer-Lahav, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten | |||
| Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Michael | Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Michael | |||
| Jones, Hannes Tschofenig and David Waite. | Jones, Hannes Tschofenig, David Waite and Mukesh Bhatnagar. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by RFC editor before publication as an RFC ]] | [[ to be removed by RFC editor before publication as an RFC ]] | |||
| draft-ietf-oauth-saml2-bearer-08 | ||||
| o fix some typos | ||||
| draft-ietf-oauth-saml2-bearer-07 | draft-ietf-oauth-saml2-bearer-07 | |||
| o update reference from draft-campbell-oauth-urn-sub-ns to | o update reference from draft-campbell-oauth-urn-sub-ns to | |||
| draft-ietf-oauth-urn-sub-ns | draft-ietf-oauth-urn-sub-ns | |||
| o Updated to reference draft-ietf-oauth-v2-20 | o Updated to reference draft-ietf-oauth-v2-20 | |||
| draft-ietf-oauth-saml2-bearer-06 | draft-ietf-oauth-saml2-bearer-06 | |||
| o Fix three typos NamseID->NameID and (2x) Namspace->Namespace | o Fix three typos NamseID->NameID and (2x) Namspace->Namespace | |||
| skipping to change at page 12, line 17 ¶ | skipping to change at page 12, line 19 ¶ | |||
| o Change title to be more generic (allowing for client authn too) | o Change title to be more generic (allowing for client authn too) | |||
| o added client authentication to the abstract | o added client authentication to the abstract | |||
| o register and use urn:ietf:params:oauth:grant-type:saml2-bearer for | o register and use urn:ietf:params:oauth:grant-type:saml2-bearer for | |||
| grant type rather than http://oauth.net/grant_type/saml/2.0/bearer | grant type rather than http://oauth.net/grant_type/saml/2.0/bearer | |||
| o register urn:ietf:params:oauth:client-assertion-type:saml2-bearer | o register urn:ietf:params:oauth:client-assertion-type:saml2-bearer | |||
| o remove scope paramter as it is defined in | o remove scope parameter as it is defined in | |||
| http://tools.ietf.org/html/draft-ietf-oauth-assertions | http://tools.ietf.org/html/draft-ietf-oauth-assertions | |||
| o remove assertion param registration because it [should] be in | o remove assertion param registration because it [should] be in | |||
| http://tools.ietf.org/html/draft-ietf-oauth-assertions | http://tools.ietf.org/html/draft-ietf-oauth-assertions | |||
| o fix typo(s) and update/add references | o fix typo(s) and update/add references | |||
| draft-ietf-oauth-saml2-bearer-04 | draft-ietf-oauth-saml2-bearer-04 | |||
| o Changed the grant_type URI from | o Changed the grant_type URI from | |||
| End of changes. 7 change blocks. | ||||
| 6 lines changed or deleted | 10 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||