Re: [Ace] Resource, Audience, and req_aud

Ludwig Seitz <ludwig.seitz@ri.se> Thu, 07 February 2019 15:33 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53855126D00 for <ace@ietfa.amsl.com>; Thu, 7 Feb 2019 07:33:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3YkLPdVA4we for <ace@ietfa.amsl.com>; Thu, 7 Feb 2019 07:33:48 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40080.outbound.protection.outlook.com [40.107.4.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0BA912008F for <ace@ietf.org>; Thu, 7 Feb 2019 07:33:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8FDTZ6/MmdgsutUk9Pc5x8ahtQTuXmbh0JXGcfOXQYk=; b=NN4j6W5GcqVnpjcgsZc9kGlKZJIb/fYqOmM4XxULAhF/seqYMKrnQvzYQj0NRxExyCYPZH3/LqgC5sTaGobCSYOtHr/+cnzeBWVG886y/hcrNWw+2/wissvj8AkKTzVZ7YGdCx9pU7O7TAzpX6yoXXD/jrWGv6m3v/UVJgBtXuA=
Received: from HE1P189CA0032.EURP189.PROD.OUTLOOK.COM (2603:10a6:7:53::45) by HE1P18901MB0105.EURP189.PROD.OUTLOOK.COM (2603:10a6:3:9b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.17; Thu, 7 Feb 2019 15:33:45 +0000
Received: from VE1EUR02FT029.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e06::204) by HE1P189CA0032.outlook.office365.com (2603:10a6:7:53::45) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.17 via Frontend Transport; Thu, 7 Feb 2019 15:33:45 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by VE1EUR02FT029.mail.protection.outlook.com (10.152.12.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Thu, 7 Feb 2019 15:33:45 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Thu, 7 Feb 2019 16:33:44 +0100
To: <ace@ietf.org>
References: <VI1PR0801MB21126944E558E53992EB7FD3FA680@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <c62835cb-6d98-f5dc-d8d8-fe80181a8a5c@ri.se>
Date: Thu, 7 Feb 2019 16:33:44 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB21126944E558E53992EB7FD3FA680@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms030300050709070408050505"
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(136003)(346002)(396003)(39860400002)(376002)(2980300002)(53754006)(199004)(189003)(8936002)(33896004)(7736002)(84326002)(74482002)(16576012)(76176011)(69596002)(186003)(81166006)(386003)(316002)(58126008)(68736007)(2616005)(16526019)(446003)(476003)(8676002)(5024004)(14444005)(53546011)(44832011)(65956001)(6246003)(508600001)(53936002)(65806001)(6916009)(11346002)(356004)(106002)(65826007)(81156014)(77096007)(336012)(36756003)(22746008)(2351001)(31686004)(104016004)(22756006)(40036005)(16586007)(71190400001)(235185005)(305945005)(86362001)(106466001)(486006)(126002)(26005)(568964002)(31696002)(2906002)(6116002)(3846002)(229853002)(64126003)(97736004); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1P18901MB0105; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-Microsoft-Exchange-Diagnostics: 1; VE1EUR02FT029; 1:vJtpT4XB7L59rPM6Z/DKCFs0bQPVIr/1rSTcZ6tdhPs+CzbnzzWuJofR82cU/sHgjujQ/KP1SEGtitpx8CDZpGi7SNEbcR34fA8ZE+KYRGRKQ8p3TSaMYbMvoTHbwB+smgkwLyKUW0xaSORalC9PwF9Ql13y4CAub/7E8EUtmEM=
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 5f376326-c045-4023-050a-08d68d11a5c2
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060)(7193020); SRVR:HE1P18901MB0105;
X-Microsoft-Exchange-Diagnostics: 1; HE1P18901MB0105; 3:vLTyTxWwvdF3tgFjKZFQbppFulP7xN3YGywTsIMd0wKnlnNa5AlEhocRhaaqkTVQKgybxQ68tOKR2UUt8V0fmv7DBD97jdw9o/Rhy8jWJcybm3l9usDQRPJ3WKc2XxB68r4NxOZKieorHfa4pYpYZajHqHTv9eVuJxOCu2ZWobXSajZ3YIQ4/EYb5YG64Dzj7JplG9vfyev42nY5m9XWn2GbeOb9h0DVhtLSX8ZD1cBLU/d4ufvRMdhCONQ2PuJA8HuS+p4P0AsIc8/cxnBzNz3HVUhfZOCP2DCZj4EOpvubsmAPws5VlhDH87L5deSqw3TAE3VlYXDqWWHUut3EK1g5Qsl8I7XvIv/VlJoQnyh4k400bQICVyev6uFBL54R; 25:oY7acE3GpZnVSlS50T2fpZLOLSKbYyeMfjowrw8/5yDlMAt3bjR1zvJCnWQeIwZ5WMDFn5eMqrs5Xd9fwhMOTJUGSjJhKRkadksis24nwPGAjtcjitCp5OInYzTG2MZcA5P1O4JPN9qB2uF8jihT+vHqLrOKhdFPbBv5s+4EV31VUJaooFZGieAh52D0TWFzFVTBb/duPMx8SWa8r0vHn9CpoZd28ZrPuu5SzxcF/vPbseaO4r7A9QQ/5UbtWCalLRxCwmtjq/9nYkCCu2RWBVD5mczZtB8cT+VvQQpL1+APamTEjHuk7pOwIUhCvHTJwiu2c/PFxGZifTUTzYh6pQ==
X-MS-TrafficTypeDiagnostic: HE1P18901MB0105:
X-Microsoft-Exchange-Diagnostics: 1; HE1P18901MB0105; 31:T78YQyQgn6JAquxDh0HtZH6gJOnDQ2tqgNQPe4EScqd6m5cHt3yDJRUvH+51G2L8yFniSU3M7CPaz8nzAHhmPclpEJPD7VYdgqIJp7G4daBXjFk8Kq2z9XXroCha737/UhkNaoVj+HRndIGV5dOvU92bcjHPr45MzU2+wUZ0o+xtohAz78oQMNpZt1B4MOmf0S14+7rbavbdiZE6KCuY+BP4TLcnMoQVrWd8qlxuHXI=; 20:zP3iReGXNXJLYllWPsgFbf6bCyofpoHMBpL+qtqRpIcc8TatVg+dOUHe49pRr/ymhahxv6eoSgDbMEFPxA4pOn8mISVXf7jTrCM/bJCb5+p43MguTIKa2Gu+kAiA8F8XTVDm3evj4AEiEJ3U45wIJjTuJk8JSpbmQ8UObpT/w58iJqPuHiL4MgKIC5k0D4K1LSbUa+JeKQZWHzkFwDXn1lStAE/q0DzOODybPEtkMaFPlibMRKbIwSdy0d4jhTQ6; 4:ovS5Su8DH1I+EdhxXA8Yuuea7Jr0ok58Ci1uIOBnrQ/ovoKUDj6dug9ZNir0XquXqeH+3Yn1dz6ENPYbFbpwKMn9qEMcWbHZa3W/wnD2S5gIOHpVdpFBQDzZhXUu7guREIZmncSDEqktFMHOz86NwblwWAS64h5htr6BI7GnX3yTOPFh19Mo2hBUb+Fy4EkEmo+TAl6Fvr3vLB54mi7dCUecmS4XJHvPoTUtiQ5RvkStPwTgYMabwsR9YH0N8gnKGDFfMOwUPOrpF1a63eK9NWUJl6sj9eMSqv7/2JKeLoo=
X-Microsoft-Antispam-PRVS: <HE1P18901MB010568B18C5602541DEDCB5882680@HE1P18901MB0105.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 0941B96580
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; HE1P18901MB0105; 23:Omf3VGawtzG9kDrKyjthuzE3Y2VK3oV+Fuf+7fk?= =?us-ascii?Q?mrdJhDWr5egQImXD9pJ5QatVo6USxks0aJd47JYfys6d4ejHI2wkH18kUFG/?= =?us-ascii?Q?O6eu48k4Pdt3dmfkf41K92aCQoDPu1ct0SLD50glDSYRVtZS8N8Uk6CqbGPB?= =?us-ascii?Q?EhGbx5kRkf8fw+P/IgC2ovcEys42EbV7nQQLMBNR+IOgC4w6XdrH4gzX8LZk?= =?us-ascii?Q?QZOjKCD48OL7MVRUOXWO6cRV4YNqoRAOyn27IEWcp6qRGNPX7NVXI9qdtNDg?= =?us-ascii?Q?cMdoJmm7A+GSLe2l5DNx9seEsuVePeixyw+agJjSEIJt0LJWIFcb5wBCYaB6?= =?us-ascii?Q?2SaIi1r58kb/87CStwdozHMfQAnNc8SrgOPZngI8tl96bJIg3YnrP5qmNp5F?= =?us-ascii?Q?eroLYwf6oMTVzLe1fw2SM4+if5TFXU9roO/n0zk2B+ubAaBdfK36ZhNFnbX5?= =?us-ascii?Q?zLgifa3Pb5ljdHpnMzQ3LoK+aS6JRkwRMdU6N9O7r+haPLEPhqVDBo6q8tIS?= =?us-ascii?Q?ebeHkyYE4Zey9R2+LXVdjf1FYIK6CVjkfP0BDDCYOMRb8y4iy/R25Q/ZPtUt?= =?us-ascii?Q?oRlSkyY3yHMJRRGGYDdhthS9yh0cX1Nye+IO8N4nM6Ah6gkhheR7FxDU5pHn?= =?us-ascii?Q?deOLUq4NZzn1Hb1a0I9p6OWeHH3Kf4T65fz2b0Uqn3YSy0MHgQPoqBIB3WhP?= =?us-ascii?Q?z2aH9s6NlJhPm4mifGCgkR8lSY2De/gCB6Rh0QGIWPug7cK70tP8ue3eRFDn?= =?us-ascii?Q?nLz5RpUOYBioEhhcdKoYWRK/wqEhGthR9RQWUPmym56hQA+WPAfGysNuA8JR?= =?us-ascii?Q?8QS92YX+dY1kMF7zQue74aCdizCS7OSGRs6jnAnJeZ57TD6dA31eNP/iJsxz?= =?us-ascii?Q?H7P35sdiqjL7yrWcjSFKCnmoCUekH517mrRA0I6lc5j3SsEJxn5qWYGfbrme?= =?us-ascii?Q?55BgMkvXpE5cAybOFxe47BcS05LZcA5Lno/gKzNp85C1vB2OYYvwcUQDumnn?= =?us-ascii?Q?31mmwkmrKFMPgtuOrTKujyJAsfx8bPPJcT0qsiHtOawFHDLNnh07ZdvjOVSg?= =?us-ascii?Q?Ia72hKpZd/XodvHBVLQ4mBtLdo5TNM6ijXOqo5QLtyI2uRDLq/VF/ARCabC9?= =?us-ascii?Q?kqArP4BEupLmok1Nq4N6IIFIghLX6DyxeN1Ln/6P0XaQsryGOCTqcfq4VT15?= =?us-ascii?Q?aJVFpP03sMDrb/8DDou42UoOYWd/BT2tlPE9e0+mk/6lUzf5p8c2r1cPOhEp?= =?us-ascii?Q?wDWlVPeMm70Li8Q+5xzqIn6nLieKVbXgZl0+NYXOMrQOzuSOxns3oTXv9bcO?= =?us-ascii?Q?k1QkRkQ7WAe3GFzAMu5W9zcNuieqmyQdW9trkLdC/oBls24awvBprdUeg9Bw?= =?us-ascii?Q?EW4lh/swIMfqaMT+cYUOF978MqcFKq89qj+zm+4E5vSFOOT3avvD0g8VGIkL?= =?us-ascii?Q?uXyIB3d1+AD0esehVPZGgUTAtk6bv5I/Z1VpF8m+WpvYS5kY818vobyTKhz2?= =?us-ascii?Q?gnSfjwzw/TQMXUoYUr5XOk2p8as3BZ2NKl0E=3D?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 1ZuKXMMSGzxAta17ZKw0Ze7ClBHhx/Dir3IsauY7H+6OEjbVNifNTPvALa0Os7nA5foElUDnPTDGA5kFUozx6a3jPh+UXKQh4iS3FSnGeloSDHIO0rVoSM6tfAediTWGocj8EZJG56yxWg/cPTq17/Cs70QJGhqTIbrNaZkMu5hzEI3epYAQic+Zig38OTpaykM6V8CrYosQaJG4Md0ps72MynGgpwGTiOEo37kEzJQjZBAcBRcpDJULpCHHOuRiR1WBbiliZYBItg+psGye0mxU6rBJnogqGFAcbQ4yI/tOjvxkBgGThA9EyEj04fwz3JiqgkD9CJjagmYmlNifWtUh/G83GbtsGvXbxw+EPtJ/GsVV0MK2DUg02RCxcuP6ypSMlsOZNEx/WJMdhgZPkLDVCdAwhQ/ChL/fQJ0Vw7w=
X-Microsoft-Exchange-Diagnostics: 1; HE1P18901MB0105; 6:KKq/hcwe+M6mum0LqdvTlyJPTorF9i41xmBueC5H5qr4dwASjs9aUEUWPQiqnAa8l6Z1P0Tx/caohZUTlS6fOEiW1tF5c9tPOgyhsrG4gaHoIurM1g+h82m/aAF7d32jgiN5Vpe2tpjgJfmaiB3fSCLDD8fNo2H4XsoU5TN6cI65OfV+JDs+027Ixe4m1ERxI/bKKCsJIULmJRCXViI4eSxvJ00i8OabQb9QAP/GifAFoPK4KHm0D7ELw3IjNmc/qucfuMBxzizu8yfKsJACCGzuXzPbzFEWHVZ4sMUz80oeZtIj0HssD/euvjmBubEqL8wuw/gGKuE0x9YGgslpKUTOlU2VE0uv3YKqnNeT54yf0GZncV2WzPEC96U+ypipIoUaKUjYvucTuqqLoaYs28NEmO5j5E4CiU/5XyEZOm+Z4ZcSf3IOlG5QoV6Jrm/KuQIV9Xp1gbeXyp34118cYQ==; 5:oTePilMWPj6lpMsYcv71XSDZKt7K6YS1P5cThWqbMDFQvWIYdQMFXUW/p6ZMdbyDg3PO3zqWff961u3205cq/75Dp2FKbBDbm9ZQCw3gQys//MMoZl2QPeMeKBLLV9t+t726hjQBJ/2EHWWsup2ZUFu8ZovmbSBoaQwzkWikGXR6yoCQovt6ac/d6/+DonHYMixJ692Bo9K1JX49GEdxrQ==; 7:w78QdMFxEavOq815Ps+cZ5wpSYnctgoJr7IQI5OdEnSwcYtt88SUtYlz0gSbwxKlgBn54sxs0PPw9nhrFbg3UCHY8Z05wX4Ly6O+qfzrzmFFbktlTbAJF0w6wE+WFLxTeuVMAZ3fetj6OOFO6SES9A==
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2019 15:33:45.3199 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 5f376326-c045-4023-050a-08d68d11a5c2
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1P18901MB0105
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/tKSSIz5Loh92D686H-7Y9S5C1L0>
Subject: Re: [Ace] Resource, Audience, and req_aud
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2019 15:33:50 -0000

On 07/02/2019 16:24, Hannes Tschofenig wrote:
> Hi all,
> 
> after re-reading token exchange, the resource indicator, and the 
> ace-oauth-params drafts I am wondering whether it is really necessary to 
> have different functionality in ACE vs. in OAuth for basic parameters.
> 
> Imagine I use an Authorization Server and I support devices that use 
> CoAP and HTTP.
> 
>  1. If a device uses CoAP then it has to use the req_aud parameter to
>     indicate to the authorization server that it wants to talk to a
>     specific resource server. It would either put a URI or a logical
>     name there.


>  2. If a device uses HTTP then it has to use either the resource
>     parameter to indicate to the authorization server that it wants to
>     talk to a resource server, which is identified using a URI, or the
>     audience parameter, if it uses a logical name. 
> 
We were told by OAuth that this is not how the audience parameter is 
used. What I understood from the feed-back is that using a parameter 
called "aud" in a request to the token endpoint would be interpreted as 
a restriction on the audience of authorization servers that are 
addressed by this request.

That said, I'm all for alignment, but I'd like the parameter to be 
aligned with the JWT "aud" claim as well and currently "resource" is URI 
while "aud" is StringOrURI.

/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51