Re: [Ace] Resource, Audience, and req_aud

[Ludwig Seitz]

On 07/02/2019 16:24, Hannes Tschofenig wrote:

Hi all,





 1. If a device uses CoAP then it has to use the req_aud parameter to
    indicate to the authorization server that it wants to talk to a
    specific resource server. It would either put a URI or a logical
    name there.

after re-reading token exchange, the resource indicator, and the ace-oauth-params drafts I am wondering whether it is really necessary to have different functionality in ACE vs. in OAuth for basic parameters. Imagine I use an Authorization Server and I support devices that use CoAP and HTTP.

 2. If a device uses HTTP then it has to use either the resource
    parameter to indicate to the authorization server that it wants to
    talk to a resource server, which is identified using a URI, or the

audience parameter, if it uses a logical name.

We were told by OAuth that this is not how the audience parameter is used. What I understood from the feed-back is that using a parameter called "aud" in a request to the token endpoint would be interpreted as a restriction on the audience of authorization servers that are addressed by this request.

/Ludwig


--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51

That said, I'm all for alignment, but I'd like the parameter to be aligned with the JWT "aud" claim as well and currently "resource" is URI while "aud" is StringOrURI.

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace