IETF Logo Mail Archive

Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?

Anthony Nadalin <tonynad@microsoft.com> Thu, 27 December 2012 22:57 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 165D721F8DC1 for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2012 14:57:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.367
X-Spam-Level: *
X-Spam-Status: No, score=1.367 tagged_above=-999 required=5 tests=[AWL=0.833, BAYES_00=-2.599, HTML_MESSAGE=0.001, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhvfG8OkWJ+d for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2012 14:57:03 -0800 (PST)
Received: from NA01-BL2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.28]) by ietfa.amsl.com (Postfix) with ESMTP id AF64721F8D5F for <oauth@ietf.org>; Thu, 27 Dec 2012 14:57:01 -0800 (PST)
Received: from BY2FFO11FD011.protection.gbl (10.1.15.203) by BY2FFO11HUB039.protection.gbl (10.1.14.122) with Microsoft SMTP Server (TLS) id 15.0.586.12; Thu, 27 Dec 2012 22:56:53 +0000
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD011.mail.protection.outlook.com (10.1.14.129) with Microsoft SMTP Server (TLS) id 15.0.586.12 via Frontend Transport; Thu, 27 Dec 2012 22:56:52 +0000
Received: from va3outboundpool.messaging.microsoft.com (157.54.51.81) by mail.microsoft.com (157.54.79.174) with Microsoft SMTP Server (TLS) id 14.2.318.3; Thu, 27 Dec 2012 22:56:29 +0000
Received: from mail25-va3-R.bigfish.com (10.7.14.254) by VA3EHSOBE007.bigfish.com (10.7.40.11) with Microsoft SMTP Server id 14.1.225.23; Thu, 27 Dec 2012 22:56:28 +0000
Received: from mail25-va3 (localhost [127.0.0.1]) by mail25-va3-R.bigfish.com (Postfix) with ESMTP id 7AFFF3C01C5 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 27 Dec 2012 22:56:28 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT001.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -17
X-BigFish: PS-17(zz9371Ic89bhd6eah1418Ic857hzz1de0h1202h1e76h1d1ah1d2ah1082kzz8275bh8275dh1033IL18c673h17326ahz31h2a8h668h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h9a9j1155h)
Received-SPF: softfail (mail25-va3: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT001.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB041; LANG:en;
Received: from mail25-va3 (localhost.localdomain [127.0.0.1]) by mail25-va3 (MessageSwitch) id 1356648986292486_14280; Thu, 27 Dec 2012 22:56:26 +0000 (UTC)
Received: from VA3EHSMHS042.bigfish.com (unknown [10.7.14.247]) by mail25-va3.bigfish.com (Postfix) with ESMTP id 3AA1F360085; Thu, 27 Dec 2012 22:56:26 +0000 (UTC)
Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by VA3EHSMHS042.bigfish.com (10.7.99.52) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 27 Dec 2012 22:56:24 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BL2PRD0310HT001.namprd03.prod.outlook.com (10.255.97.36) with Microsoft SMTP Server (TLS) id 14.16.245.2; Thu, 27 Dec 2012 22:56:24 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) with Microsoft SMTP Server (TLS) id 15.0.586.12; Thu, 27 Dec 2012 22:55:58 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.7.160]) by BY2PR03MB041.namprd03.prod.outlook.com ([169.254.7.160]) with mapi id 15.00.0586.000; Thu, 27 Dec 2012 22:55:58 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Mike Jones <Michael.Jones@microsoft.com>
Thread-Topic: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
Thread-Index: AQHN5BorHF0tt5bL60KZvuNO0KVLYpgtQf9g
Date: Thu, 27 Dec 2012 22:55:58 +0000
Message-ID: <8239313babad4a5ba73de1740093ff26@BY2PR03MB041.namprd03.prod.outlook.com>
References: <4E1F6AAD24975D4BA5B1680429673943669A88C1@TK5EX14MBXC283.redmond.corp.microsoft.com> <0D574E13-BA0C-46BD-9A27-37C06EAA1986@lodderstedt.net>
In-Reply-To: <0D574E13-BA0C-46BD-9A27-37C06EAA1986@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.46.126.7]
Content-Type: multipart/alternative; boundary="_000_8239313babad4a5ba73de1740093ff26BY2PR03MB041namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT001.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%LODDERSTEDT.NET$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC103.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(51444002)(377454001)(33646001)(47736001)(74662001)(54316002)(15202345001)(31966008)(4396001)(550184003)(47446002)(49866001)(56816002)(74502001)(50986001)(44976002)(54356001)(5343635001)(76482001)(47976001)(51856001)(77982001)(16236675001)(5343655001)(46102001)(59766001)(53806001)(6806001)(16676001)(56776001)(512874001)(42262001)(24736002)(550254004); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB039; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 07083FF734
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Dec 2012 22:57:04 -0000

Concern here is that value could be an “interpretation” and thus you may get different results that you don’t get when it’s a URI

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Torsten Lodderstedt
Sent: Wednesday, December 26, 2012 10:46 PM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?

+1

Am 27.12.2012 um 02:43 schrieb Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>:
http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently says:


   Audience  A URI that identifies the party intended to process the

      assertion.  The audience SHOULD be the URL of the Token Endpoint

      as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>].


I think that “URI” should be changed to “value”, since audience values in general need not be URIs.  In particular, in some contexts OAuth client_id values are used as audience values, and they need not be URIs.  Also, SAML allows multiple audiences (and indeed, the OAuth SAML profile is written in terms of “an audience value” – not “the audience value”), and so the generic Assertions spec should do likewise.

Thus, I would propose changing the text above to the following:


   Audience  A value that identifies the parties intended to process the

      assertion.  An audience value SHOULD be the URL of the Token Endpoint

      as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>].

                                                            -- Mike

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email