To Push or Not to Push: that is the question
So I was designing OpenID Authn Artifact Binding based on OAuth.
OAuth pushes request token (RT) to the Service Provider (saml:responder, openid:op).
Then, I looked back at the saml artifact binding.
It is the opposite. It sends the artifact first and the SP/responder pulls the data from Consumer/requester. Why?
It has got to do with the scale.
When the SP/Responder is big, chances are that the servers are distributed and there will be a big sync up problem among them. Thus, when the RT/message is sent there and the user arrives through browser redirect, the RT/message itself may not be accessible from the server that the user landed.
In case of SAML flow, the requester creates the artifact, and in the artifact, there is a node index included. Then, user arrives to the responder with artifact, and the responder pulls the data using this artifact. When requester receives the artifact, it knows where the RT/message is stored, so it can reliably fetch it.
So, SAML actually is kinder to a large scale providers.
On the other hand, OAuth has its own edge. In case of OAuth, the Requester always makes the action. It does not matter if it is behind the firewall or something. Typically, if it is an application living on a PC or Phone or something like that, the chances are that SP/Responder/OP cannot reach the client because it has got a private address. Since OAuth had such use case from the beginning, I suppose, the current choice was made.
So, coming back to OpenID Artifact Binding: Which design should we chose?
To Pull, or to Push: That is the question.