Re: [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

Thu, 17 Jan 2019 11:32:14 -0800 

We have discussed this.

Audiences can certainly be logical identifiers.
This however is a more specific location.  The AS is free to map the location into some abstract audience in the AT.
From a security point of view once the client starts asking for logical resources it can be tricked into asking for the wrong one as a bad resource can always lie about what logical resource it is.
If we were to change it, how a client would validate it becomes challenging to impossible.
The AS is free to do whatever mapping of locations to identifiers it needs for access tokens.
Some implementations may want to keep additional parameters like logical audience, but that should be separate from resource. 

John B.

On 1/17/2019 9:56 AM, Rifaat Shekh-Yusef wrote:

Hi Vittorio,

The text you quoted is copied form the abstract of the draft itself.

*
*
*Authors,*

Should the draft be updated to cover the logical identifier case?

Regards,
 Rifaat
On Thu, Jan 17, 2019 at 8:19 AM Vittorio Bertocci <vitto...@auth0.com <mailto:vitto...@auth0.com>> wrote: 

    Hi Rifaat,
    one detail. The tech summary says

    An extension to the OAuth 2.0 Authorization Framework defining request
    parameters that enable a client to explicitly signal to an authorization 
server
    about the*location*  of the protected resource(s) to which it is requesting
    access.

    But at least in the Microsoft implementation, the resource
    identifier doesn't /have/ to be a network addressable URL (and if
    it is, it doesn't strictly need to match the actual resource
    location). It can be a logical identifier, tho using the actual
    resource location there has benefits (domain ownership check,
    prevention of token forwarding etc).
    Same for Auth0, the audience parameter is a logical identifier
    rather than a location.



    On Wed, Jan 16, 2019 at 6:32 PM Rifaat Shekh-Yusef
    <rifaat.i...@gmail.com <mailto:rifaat.i...@gmail.com>> wrote:

        All,

        The following is the first shepherd write-up for
        the draft-ietf-oauth-resource-indicators-01 document.
        
https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-indicators/shepherdwriteup/

        Please, take a look and let me know if I missed anything.

        Regards,
         Rifaat

        _______________________________________________
        OAuth mailing list
        OAuth@ietf.org <mailto:OAuth@ietf.org>
        https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to