Couldn't the AS issue a token where the audience restriction is a list?
This is true of the id_token spec.
On 8/27/18 2:24 PM, Torsten Lodderstedt wrote:
Am 27.08..2018 um 11:32 schrieb Vladimir Dzhuvinov
<vladi...@connect2id.com <mailto:vladi...@connect2id.com>>:
Thanks for the update!
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-07#section-3.7.1.3
Audience restricted access token:
In a multi-RS environment with aud-restricted token policy in place,
how should the AS respond to an authZ request with scope values that
belong to more than one RS?
That’s a really good question!
I see the following options:
1) the AS may abort and require the client to request tokens for
different RSs using multiple authz requests (not cool)
2) the AS mints an access token for one of the resource servers and
indicates this in the scope parameter of the token response. The AS
may additionally issue a refresh token for the complete scope
3) the client could indicate the target RS it wants to interact with
in the first step (e.g. using the resource parameter introduced by the
resource indicators draft). The rest could work like (2)
kinds regards,
Torsten..
Vladimir
On 24/08/18 12:57, Torsten Lodderstedt wrote:
Hi all,
I just published a new revision of the OAuth Security BCP.
Here is the list of changes:
* added section on access token privilege restriction based on comments from
Johan Peeters
* incorporated findings of Doug McDorman (e.g. domains used in examples)
* added section on HTTP status codes for redirects
kind regards,
Torsten.
Am 24.08.2018 um 11:51 schriebinternet-dra...@ietf.org:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 Security Best Current Practice
Authors : Torsten Lodderstedt
John Bradley
Andrey Labunets
Daniel Fett
Filename : draft-ietf-oauth-security-topics-07.txt
Pages : 33
Date : 2018-08-24
Abstract:
This document describes best current security practices for OAuth
2.0. It updates and extends the OAuth 2.0 Security Threat Model to
incorporate practical experiences gathered since OAuth 2.0 was
published and covers new threats relevant due to the broader
application of OAuth 2.0.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-07
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-07
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-07
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available attools.ietf.org
<http://tools..ietf.org>.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
