Hello ACE (Cc to OAuth designated expert Justin), The progress of draft-ietf-ace-oauth-authz is currently blocked due to an issue that has come to light in the IANA review process, and I'd like to solicit the feedback of the WG to determine how to go forward.
The issue is related to parameters used by the AS when responding to an Introspection query (see https://datatracker.ietf.org/doc/html/draft-ietf-ace-oauth-authz-45#section-5.9.2). Our approach so far has been to map all OAuth parameters to ACE and map all parameters created for the ACE interaction back to OAuth. The issue is that some of the ACE parameters (cnonce and cti, see Figure 16) have the datatype "byte string". In OAuth the Introspection parameters are formatted as JSON payload, which precludes the use of raw byte strings, a fact we overlooked when we tried to register the new parameters in the OAuth registry ( see https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response). My proposed fix for this would be to amend the descriptions of these two parameters in 5.9.2, specifying that their JSON representation is a text string containing the Base64url encoding of the original byte string payload. Does the working group or the OAuth designated expert have any objections (or suggestions) to this approach? Regards, Ludwig -- Ludwig Seitz Infrastructure Security Analyst Combitech AB Djäknegatan 31 . SE-211 35 Malmö . Sweden Phone: +46 102 160 846 [email protected] . combitech.com This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above of any such misdirection Please consider the environment before printing this e-mail! _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
