-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Claims Based Security
-
Labels:None
From: https://lists.oasis-open.org/archives/amqp-comment/201704/msg00001.html
Hi there,
I was reading through draft version 3 of the Claims Based Security document.
The draft seems to only cover the case where a client wants to put one or more token(s) to a CBS node that it already has, i.e. the tokens have been issued by some other mechanism to the client already. Since section 4 already describes the usage of TLS and SASL to authenticate the client during connection establishment, I was wondering whether you have considered to also allow for the container hosting the CBS node to create a token by itself based on the credentials conveyed to it during the SASL exchange and then make the token available to the client for retrieval, resulting in something like a "get token" operation.
IMHO this would be useful in order to not require the client to connect to another service upfront in order to get a token. Instead, the server could either itself issue a token based on the verified credentials provided by the client or delegate this task to an identity provider it has a trust relationship with.
This way, the client could use the same token for other connections (e.g. to other resource managers of the same overall system).
Does this make any sense?
Mit freundlichen Grüßen / Best regards
Kai Hudalla
Chief Software Architect