IETF Logo Mail Archive

[OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?

Mike Jones <Michael.Jones@microsoft.com> Thu, 27 December 2012 01:43 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39BE921F8CA9 for <oauth@ietfa.amsl.com>; Wed, 26 Dec 2012 17:43:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.612
X-Spam-Level:
X-Spam-Status: No, score=-2.612 tagged_above=-999 required=5 tests=[AWL=-0.014, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2A2nw3oMAgji for <oauth@ietfa.amsl.com>; Wed, 26 Dec 2012 17:43:25 -0800 (PST)
Received: from NA01-BY2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.29]) by ietfa.amsl.com (Postfix) with ESMTP id 390C821F8C98 for <oauth@ietf.org>; Wed, 26 Dec 2012 17:43:25 -0800 (PST)
Received: from BY2FFO11FD009.protection.gbl (10.1.15.200) by BY2FFO11HUB023.protection.gbl (10.1.14.110) with Microsoft SMTP Server (TLS) id 15.0.586.12; Thu, 27 Dec 2012 01:43:11 +0000
Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD009.mail.protection.outlook.com (10.1.14.73) with Microsoft SMTP Server (TLS) id 15.0.586.12 via Frontend Transport; Thu, 27 Dec 2012 01:43:10 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.59]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.178]) with mapi id 14.02.0318.003; Thu, 27 Dec 2012 01:43:08 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Must the Audience value in the Assertions Spec be a URI?
Thread-Index: Ac3j04NezOeB4joAT3Gv4w/5l0I27g==
Date: Thu, 27 Dec 2012 01:43:08 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943669A88C1@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943669A88C1TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(51444002)(31966008)(50986001)(54316002)(54356001)(51856001)(16406001)(512954001)(47446002)(44976002)(74662001)(74502001)(59766001)(49866001)(15202345001)(46102001)(5343635001)(4396001)(47976001)(53806001)(33656001)(56816002)(77982001)(76482001)(47736001)(5343655001)(56776001)(55846006)(16236675001)(550254004); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB023; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 07083FF734
Subject: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Dec 2012 01:43:26 -0000

http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently says:


   Audience  A URI that identifies the party intended to process the

      assertion.  The audience SHOULD be the URL of the Token Endpoint

      as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>].


I think that "URI" should be changed to "value", since audience values in general need not be URIs.  In particular, in some contexts OAuth client_id values are used as audience values, and they need not be URIs.  Also, SAML allows multiple audiences (and indeed, the OAuth SAML profile is written in terms of "an audience value" - not "the audience value"), and so the generic Assertions spec should do likewise.

Thus, I would propose changing the text above to the following:


   Audience  A value that identifies the parties intended to process the

      assertion.  An audience value SHOULD be the URL of the Token Endpoint

      as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>].

                                                            -- Mike

v2.23.0 | Report a Bug | By Email