On 28/01/2019 23:12, George Fletcher wrote:
I also don't know that this raises to the level of "concern" but I find
the parameter name of "req_aud" odd. Given that the parameter in the
resource-indicators spec is 'resource' why not use a parameter name of
'audience'. That said, I have not read the thread on the ACE working
group list so there could be very good reasons for the chosen name:)
I do think that there is a lot of overlap (in most cases) between
'resource' and 'audience' and having two parameters that cover a lot of
the same semantics is going to be confusing for developers. When calling
an API at a resource server, the 'audience' and the 'resource' are
pretty equivalent. Maybe in other use cases they are distinctly separate?
To give you all the background of "req_aud" from ACE (sorry for the long
text):
Originally in ACE we had defined the "aud" parameter for requests to the
token endpoint with the semantics that the client was requesting a token
for a certain audience (i.e. requesting that the AS copy the "aud"
parameter value into the "aud" claim value of the token).
We were then told that this collided with a use of "aud" in OAuth, that
specifies the intended audience of Authorization Servers (if I remember
correctly), so we decided to rename our parameter to "req_aud" for
"requested audience".
Mike Jones then made us aware of the work on resource indicators, but
upon closer examination I found the "resource" parameter to be more
limited than the "req_aud", since resource specifically states:
"Its value MUST be an absolute URI ... the "resource" parameter URI
value is an identifier representing the identity of the resource"
My interpretation of this is that "resource" refers to a single
resource, which is more constrained than the definition of the "aud"
claim from 7519, which uses a StringOrURI value. For example my intent
was to use "aud" and "req_aud" for group identifiers
("temperatureSensorGroup4711") and other non-uri strings
(hash-of-public-key), which I cannot do with "resource". We therefore
decided to keep the "req_aud" parameter in draft-ietf-ace-oauth-params,
even though is clearly overlaps with "resource".
Any comments and suggestions about that line of reasoning (especially
from the OAuth point of view) are very welcome.
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
