IETF Logo Mail Archive

Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?

John Bradley <ve7jtb@ve7jtb.com> Fri, 28 December 2012 00:53 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5680521F8DDD for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2012 16:53:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.352
X-Spam-Level:
X-Spam-Status: No, score=-3.352 tagged_above=-999 required=5 tests=[AWL=0.246, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvsmfX1iHG9K for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2012 16:53:55 -0800 (PST)
Received: from mail-qa0-f42.google.com (mail-qa0-f42.google.com [209.85.216.42]) by ietfa.amsl.com (Postfix) with ESMTP id 5B46A21F8DDF for <oauth@ietf.org>; Thu, 27 Dec 2012 16:53:54 -0800 (PST)
Received: by mail-qa0-f42.google.com with SMTP id hg5so9263672qab.15 for <oauth@ietf.org>; Thu, 27 Dec 2012 16:53:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=CX26d1fUhJiQ/jIAFMeGXiwfpb7j8qLGOtfTRsxvRvA=; b=lWVYyb3fjEERbNM9vKaRqm9YkKmOuW6tWMM7EHjx5F7BrIPk7TJWA9ymcXG12/DdRv 9mU7J3J2j9fQVl5P5wBtV+ocFiirDYP8NAoh6ulmveBfPQW/MPwzLyPVLcvCiYsGTEUW z0xepupUUV5OKwHpkJdx91gxgYPLzLjMSwSfc77q6t8OtldN/CqEaBa7f/lULt2ubUeV 10RCwq0QCJFKCP2suDe7FTAuWP3A/TkN+VEhuFoBCV5fc5ZxkJC21aney8Ax85SNXq6N GfLFoEkkQ5jMOVBExI41/uBsGqADyF0kdooPHGZCplLE0FXQ3mo9UYbqqM1iaSPwkw51 xr3Q==
X-Received: by 10.49.71.178 with SMTP id w18mr17835720qeu.11.1356656033944; Thu, 27 Dec 2012 16:53:53 -0800 (PST)
Received: from [192.168.1.211] (190-20-36-168.baf.movistar.cl. [190.20.36.168]) by mx.google.com with ESMTPS id f5sm7139097qac.5.2012.12.27.16.53.50 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 27 Dec 2012 16:53:52 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_CB940E11-4C16-4AF3-B74E-2C63A702A612"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <8b1f49ba29404f349af3dc3abb2878e4@BY2PR03MB041.namprd03.prod.outlook.com>
Date: Thu, 27 Dec 2012 21:53:41 -0300
Message-Id: <76EAF572-1701-4FB6-AA20-21831D8055D7@ve7jtb.com>
References: <4E1F6AAD24975D4BA5B1680429673943669A88C1@TK5EX14MBXC283.redmond.corp.microsoft.com> <CE2FF7F1-C630-49E1-A942-C1CEB8ACF93E@ve7jtb.com> <8b1f49ba29404f349af3dc3abb2878e4@BY2PR03MB041.namprd03.prod.outlook.com>
To: Anthony Nadalin <tonynad@microsoft.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQmhJgtYliePri07QFI6QVIxYGZkgZzdDfxmVEw82awRAIeLs0ncuNZZyXH5JkHBVhjuq26f
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Dec 2012 00:53:56 -0000

The discussion on the Connect call was that audience could be a literal or an array.

example

"aud":["http://audiance1.com","http://audiance2.com"]

In some cases the token may want to have more than a single audience.  
(anthropomorphic license)

in the simple case it would still be
"aud":"http://audiance1.com"

While dynamic typing of variables is not my favourite thing in principal, I am assured that this is common JSON syntax that people can deal with.

The idea is to standardize this rather than everyone coming up with their own way around the restriction as google did by adding the prn claim.

At least this way if you only trust tokens with yourself as the audience you have a easy way to check.

John B.

On 2012-12-27, at 7:57 PM, Anthony Nadalin <tonynad@microsoft.com> wrote:

> What do you mean by multi-valued and what are the semantics of multi-vale ?
>  
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
> Sent: Thursday, December 27, 2012 5:32 AM
> To: Mike Jones
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
>  
> Agreed.
>  
> We need to clarify that the value of the audience claim can be multi valued as well. 
>  
> John B.
>  
> On 2012-12-26, at 10:43 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
> 
> http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently says:
>  
>    Audience  A URI that identifies the party intended to process the
>       assertion.  The audience SHOULD be the URL of the Token Endpoint
>       as defined in Section 3.2 of OAuth 2.0 [RFC6749].
>  
> I think that “URI” should be changed to “value”, since audience values in general need not be URIs.  In particular, in some contexts OAuth client_id values are used as audience values, and they need not be URIs.  Also, SAML allows multiple audiences (and indeed, the OAuth SAML profile is written in terms of “an audience value” – not “the audience value”), and so the generic Assertions spec should do likewise.
>  
> Thus, I would propose changing the text above to the following:
>  
>    Audience  A value that identifies the parties intended to process the
>       assertion.  An audience value SHOULD be the URL of the Token Endpoint
>       as defined in Section 3.2 of OAuth 2.0 [RFC6749].
>  
>                                                             -- Mike
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email