Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
John Bradley <ve7jtb@ve7jtb.com> Thu, 27 December 2012 13:31 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DAA021F8C74 for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2012 05:31:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.348
X-Spam-Level:
X-Spam-Status: No, score=-3.348 tagged_above=-999 required=5 tests=[AWL=0.250, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GfXZh+dxMQAv for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2012 05:31:50 -0800 (PST)
Received: from mail-qc0-f176.google.com (mail-qc0-f176.google.com [209.85.216.176]) by ietfa.amsl.com (Postfix) with ESMTP id 401E521F8C54 for <oauth@ietf.org>; Thu, 27 Dec 2012 05:31:50 -0800 (PST)
Received: by mail-qc0-f176.google.com with SMTP id n41so4886793qco.21 for <oauth@ietf.org>; Thu, 27 Dec 2012 05:31:49 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=Wmr8ifNyFzooBqoSLQKjt9Ylu8bbuCUDRCkiJqesF0Y=; b=exvuquQBsprPNqs5NhAv3rSSR8ZLj87K6J+P3g9LOvJ1zL0cpq+TMq8qg4C95S1RyR FezvaDkDqAVciM4TtwWaDAGYl4S9YhEt6xATFuvA/Q6MQ3p1vnkgvRV/XMHKeN3PVNrg s0Rs3s4rdvrA3PjtBHaJvqztURzgfMF7zSN6DO9pyDgcS+oJeljHzZhf7swmMsyVI1xR Vz8tyC4pegSwpDq+LpqxSYMUr6rpPjMXpudm/Q/pUmgKEYkPTSYeFXkYye8tBGSSW1PH NcOTBi8YzUXfmfu13Bi260cR+mimzi9qFR1UXqmvZ9dYBXm+r786KnsofmJ4GDi+WFT7 bu1g==
X-Received: by 10.224.183.194 with SMTP id ch2mr13841408qab.24.1356615109414; Thu, 27 Dec 2012 05:31:49 -0800 (PST)
Received: from [192.168.1.211] (190-20-36-168.baf.movistar.cl. [190.20.36.168]) by mx.google.com with ESMTPS id l6sm6570078qal.21.2012.12.27.05.31.46 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 27 Dec 2012 05:31:48 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_0A8986B2-50F6-48FD-B132-7482D464A5B7"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943669A88C1@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Thu, 27 Dec 2012 10:31:40 -0300
Message-Id: <CE2FF7F1-C630-49E1-A942-C1CEB8ACF93E@ve7jtb.com>
References: <4E1F6AAD24975D4BA5B1680429673943669A88C1@TK5EX14MBXC283.redmond.corp.microsoft.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQkJbDInHrN+liTtxCXGS+iXipy03IfwGOF0z51SSw7l+Y8sZbXy/ftVxcn5PHQTRundhoCs
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Dec 2012 13:31:51 -0000
Agreed. We need to clarify that the value of the audience claim can be multi valued as well. John B. On 2012-12-26, at 10:43 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently says: > > Audience A URI that identifies the party intended to process the > assertion. The audience SHOULD be the URL of the Token Endpoint > as defined in Section 3.2 of OAuth 2.0 [RFC6749]. > > I think that “URI” should be changed to “value”, since audience values in general need not be URIs. In particular, in some contexts OAuth client_id values are used as audience values, and they need not be URIs. Also, SAML allows multiple audiences (and indeed, the OAuth SAML profile is written in terms of “an audience value” – not “the audience value”), and so the generic Assertions spec should do likewise. > > Thus, I would propose changing the text above to the following: > > Audience A value that identifies the parties intended to process the > assertion. An audience value SHOULD be the URL of the Token Endpoint > as defined in Section 3.2 of OAuth 2.0 [RFC6749]. > > -- Mike > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Must the Audience value in the Asserti… Mike Jones
- Re: [OAUTH-WG] Must the Audience value in the Ass… Torsten Lodderstedt
- Re: [OAUTH-WG] Must the Audience value in the Ass… John Bradley
- Re: [OAUTH-WG] Must the Audience value in the Ass… Brian Campbell
- Re: [OAUTH-WG] Must the Audience value in the Ass… Anthony Nadalin
- Re: [OAUTH-WG] Must the Audience value in the Ass… Anthony Nadalin
- Re: [OAUTH-WG] Must the Audience value in the Ass… John Bradley
- Re: [OAUTH-WG] Must the Audience value in the Ass… Brian Campbell
- Re: [OAUTH-WG] Must the Audience value in the Ass… John Bradley