We rethought aud in https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators
We wanted it to work with bearer tokens so that the AS could put a audience in the token that could not be faked by a malicious RS. For the bearer token use case it needs to be a URI to avoid the client being tricked. For a PoP token it could be logical if the token proof presentment mechanism is secure against RS spoofing. Presentment mechanisms that are bound to TLS by a EKM or via mutual TLS are OK. At the application layer the presentment would need sign over the resource URI to prevent forwarding. Something that used only a signature over a challenge would still rely on there being a unspoofable audience in the AT itself. You could securely do a secure logical resource for bearer. It could be something like the RS would provide its logical resource URI as part of a authenticate response along with the scopes required. The client could de-refrence the logical scope URI to retrieve a JSON object containing back pointers to the physical resource URI covered by that logical audience. It could also contain other RS meta-data. We do something like that in connect to allow multiple redirect URI to generate the same pairwise identifier. http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation <http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation> RS discovery has been shuffled aside in the WG foe the moment. I would be OK with res/aud being a logical identifier if it points to meta-data like aud in id_tokens points to meta-data for the AS. I think making res/aud a free form string would come back and bite us on the ass. John B. > On Mar 3, 2017, at 9:10 AM, Ludwig Seitz <lud...@sics.se> wrote: > > On 2017-02-24 22:58, John Bradley wrote: >> I updated the references but haven't made any other changes. >> >> I had some questions about it so though it was worth keeping alive >> at-least for discussion. >> >> There have been some other questions and proposed changes. >> >> I will take a look through them and see if what may be worth updating. >> >> John B. >> >> > > Question about the 'aud' parameter: Wouldn't it be useful to allow other > values than URIs for that one? > > One could easily imagine a group identifier as value of that field, where the > RS internally resolves whether it is part of that group and therefore the > target audience of that token. > > Regards, > > Ludwig > > -- > Ludwig Seitz, PhD > Security Lab, RISE ICT/SICS > Phone +46(0)70-349 92 51 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
