The question is about how RS can find the issuer from a bearer token that it received from the client. Obviously, a header from the AS does not work. We would have to have some kind of structured token. It can be a JWS or something proprietary to the trust framework.
Note: the client is untrusted and forms an unprotected segment. You would have to treat the client as the smartest, in a bad way. 2016年3月13日(日) 10:04 Justin Richer <jric...@mit.edu>: > Agree with Phil, an additional header is a bad idea. It's not only yet > another thing that can be attacked, it's another thing that can get out of > sync by the client. Always assume OAuth clients are the dumbest parts of > the system. > > > -- Justin > > > On 3/12/2016 2:36 PM, Phil Hunt (IDM) wrote: > > Right now we are discussing mis-configured clients that have been > convinced to use a token or rs endpoint that has been mitm. Adding a new > parameter increases attack surface because the rs is now ignoring the token > abd believing the header which may have been inserted. > > Phil > > On Mar 12, 2016, at 11:29, Jim Willeke <j...@willeke.com> wrote: > > Would a header be a concern if TLS was used for transportation? > > -- > -jim > Jim Willeke > > On Sat, Mar 12, 2016 at 10:03 AM, Phil Hunt (IDM) <phil.h...@oracle.com> > wrote: > >> A header might open another attack vector. Better to parse the jwt and >> look for the issuer assuming the jwt validates. >> >> Phil >> >> On Mar 12, 2016, at 09:02, Jim Willeke <j...@willeke.com> wrote: >> >> Why not register JWT as an access token type >> <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-types> >> and then the the Issuer is implied? >> >> -- >> -jim >> Jim Willeke >> >> On Sat, Mar 12, 2016 at 8:32 AM, Mike Schwartz <m...@gluu.org> wrote: >> >>> Kawasaki-san, >>> >>> This is a really good question: how to know the issuer of a bearer >>> token. Is there a header that could be added to specify the issuer, or >>> other important metadata? >>> >>> - Mike >>> >>> >>> ------------------------------------- >>> Michael Schwartz >>> Gluu >>> Founder / CEO >>> m...@gluu.org >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
