IETF Logo Mail Archive

Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?

Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 27 December 2012 06:46 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F09A321F8D19 for <oauth@ietfa.amsl.com>; Wed, 26 Dec 2012 22:46:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X+GO99IaFqgO for <oauth@ietfa.amsl.com>; Wed, 26 Dec 2012 22:46:13 -0800 (PST)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.31.37]) by ietfa.amsl.com (Postfix) with ESMTP id 310BE21F8C9F for <oauth@ietf.org>; Wed, 26 Dec 2012 22:46:12 -0800 (PST)
Received: from [79.253.52.158] (helo=[192.168.71.56]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1To7EI-0000qO-1M; Thu, 27 Dec 2012 07:46:10 +0100
References: <4E1F6AAD24975D4BA5B1680429673943669A88C1@TK5EX14MBXC283.redmond.corp.microsoft.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943669A88C1@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-2D703248-DBFF-4B3F-9C9F-A266EE2076E5"
Content-Transfer-Encoding: 7bit
Message-Id: <0D574E13-BA0C-46BD-9A27-37C06EAA1986@lodderstedt.net>
X-Mailer: iPad Mail (10A523)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Thu, 27 Dec 2012 07:46:10 +0100
To: Mike Jones <Michael.Jones@microsoft.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Dec 2012 06:46:19 -0000

+1 

Am 27.12.2012 um 02:43 schrieb Mike Jones <Michael.Jones@microsoft.com>:

> http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently says:
>  
>    Audience  A URI that identifies the party intended to process the
>       assertion.  The audience SHOULD be the URL of the Token Endpoint
>       as defined in Section 3.2 of OAuth 2.0 [RFC6749].
>  
> I think that “URI” should be changed to “value”, since audience values in general need not be URIs.  In particular, in some contexts OAuth client_id values are used as audience values, and they need not be URIs.  Also, SAML allows multiple audiences (and indeed, the OAuth SAML profile is written in terms of “an audience value” – not “the audience value”), and so the generic Assertions spec should do likewise.
>  
> Thus, I would propose changing the text above to the following:
>  
>    Audience  A value that identifies the parties intended to process the
>       assertion.  An audience value SHOULD be the URL of the Token Endpoint
>       as defined in Section 3.2 of OAuth 2.0 [RFC6749].
>  
>                                                             -- Mike
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email