Alice to Bob resource sharing

So I was in UMA call today and that reminded me of this use case. How does Alice share her protected resources (like medical test result) to Bob? I may have bloged in the past, but here is another try. The requirements:  Alice needs to give permission to Bob to access her resource;  The resource […]

Re: Limitations of the OAuth 2.0 definition of “Client”

Thomas Hardjono has a very good blog entry <<Limitations of the OAuth 2.0 definition of “Client”>>. The essence of the entry is that, the definition of “client” in OAuth 2.0 (RFC6749) is too limiting and does not fit with many current use of the specification. Here is the definition: client An application making protected resource requests on […]

Hyperlinked OAuth

I just published a new I-D on the hyperlinked oauth that I talked at IETF 85. Since it was pointed out that the “_links” member is actually holding metadata about the response, I named the document accordingly. It is fairly short, only 9 pages long. It is something to be discussed at the oauth wg […]

[OAuth] Resource Owner != Client User

I have been preaching this numerous time, but let me do it once more. There seems to be a very common misperception that in OAuth that the Resource Owner (the entity who gives permission for the resource access, aka “authorization”) and the client user at the resource access time is the same. It is plainly […]