On 2017-11-17 10:02, Olaf Bergmann wrote:
Ludwig Seitz <[email protected]> writes:
5.) Francesca suggested to allow the AS to return a list of possible
profiles to the client in response to an access token
request. Currently only one profile is selected and optionally
returned by the AS (it could even be implicit and not be returned at
all).
Background: The way I was thinking this should work was that both the
client and the RS need to be registered at the AS in order for the
exchanges to work. I made the assumption
(https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-08#appendix-D)
that the AS would already know which profiles both C and RS support,
and thus just select the ideal one.
What does the group think, should we instead allow for a list of
profiles and let the client select which one to use?
I think that negotiating the profile between C and AS is inevitable but
returning a list of profiles with the AS-to-Client response might be
difficult because there might be profile-specific claims that need to be
included as well.
I prefer a client-driven negotiation mechanism where the client may send
the list of profiles it supports, and the server picks one of this list
or returns an error if the resource server does not support any of
these. If the client does not send this list, AS just picks one as
described by Ludwig.
Grüße
Olaf
Interesting point. We had a negotiation mechanism for profiles in an
earlier version of the draft, and decided to pull it out again because
it felt over-engineered, given the fact that the AS would know what
profiles both C and RS support.
Regards,
Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
