Hello ACE,
Jim Schaad has brought up an interesting question [1] on
draft-ietf-ace-oauth-authz [2]:
Currently when a client makes an unauthorized request to a resource
server, it gets back the address of the authorization server and
optionally a nonce (to prevent replay attacks).
Jim is suggesting to add hints to the audience and scope the resource
server expects for accessing this resource.
I'm not sure whether that would not reveal too much information to a
potential attacker.
What does the group think of this issue?
/Ludwig
[1] https://github.com/ace-wg/ace-oauth/issues/124
[2] https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-08#section-5.1.2
--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
