On 23/10/2018 21:09, Hannes Tschofenig wrote:
2) 'req_aud' parameter
At the last IETF OAuth meeting in Montreal we agreed to adopt a new
document, called resource indicators, and it can be found here:
https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01
I believe the parameter name and semantics defined in
draft-ietf-oauth-resource-indicators-01 should match what is defined in
draft-ietf-ace-oauth-params-00.
The name of the parameter in draft-ietf-oauth-resource-indicators-01 is
'resource' and it is defined as
resource
Indicates the location of the target service or resource where
access is being requested. Its value MUST be an absolute URI, as
specified by Section 4.3 of [RFC3986], which MAY include a query
component but MUST NOT include a fragment component. Multiple
"resource" parameters MAY be used to indicate that the requested
token is intended to be used at multiple resources.
Looking closer at this draft:
The resource parameter seems to be much more limited than the audience
claim, since a URI is required. As Steffi recently remarked in her
review of draft-ietf-oauth-authz, URIs are not a good way to identify
resources in constrained environments, since the address of a device can
change.
Furthermore there seems also to be an overlap with the 'scope'
parameter, since the 'resource' parameter can be used to indicate
specific resources and not only the target RS.
What if we want to identify the audience by its public key instead of an
URI?
What if a client wants to request a token for a group of RS identified
by a specific audience value (e.g. "thermostats-building-1")?
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
