On 2018-08-28 18:44, Mike Jones wrote:
Especially in light of the possibility of signed requests along the
lines of https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-16, I
believe that all the ACE OAuth parameters should be registered as CWT
claims.
Ok.
I'll repeat my request, wearing my designated expert hat,
that application-specific values not be requested for registration in
the one-byte ranges. The one-byte values should be saved for claims
that are likely to span multiple kinds of applications.
So what is not generic OAuth 2.0 (+ OAuth introspection) is the following:
cnf
scope
profile
rs_cnf
req_aud
req_cnf
used_cnf
I am aware of your point-of-view on the 'profile' parameter and I
disagree with it (I feel it is sufficient to make it OPTIONAL).
What are your thoughts about the other parameters (keeping in mind that
'req_aud', 'req_cnf' and 'used_cnf' are going to replace the use of
'aud' and 'cnf' in the ACE request/response interactions)?.
Regards,
Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
