Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
Anthony Nadalin <tonynad@microsoft.com> Thu, 27 December 2012 22:58 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A102721F8DC2 for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2012 14:58:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.159
X-Spam-Level: *
X-Spam-Status: No, score=1.159 tagged_above=-999 required=5 tests=[AWL=0.625, BAYES_00=-2.599, HTML_MESSAGE=0.001, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fawcgq1+8T3h for <oauth@ietfa.amsl.com>; Thu, 27 Dec 2012 14:58:18 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.32]) by ietfa.amsl.com (Postfix) with ESMTP id DA36821F8D5F for <oauth@ietf.org>; Thu, 27 Dec 2012 14:58:17 -0800 (PST)
Received: from BL2FFO11FD015.protection.gbl (10.173.161.202) by BL2FFO11HUB009.protection.gbl (10.173.161.111) with Microsoft SMTP Server (TLS) id 15.0.586.12; Thu, 27 Dec 2012 22:58:09 +0000
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD015.mail.protection.outlook.com (10.173.160.223) with Microsoft SMTP Server (TLS) id 15.0.586.12 via Frontend Transport; Thu, 27 Dec 2012 22:58:08 +0000
Received: from co1outboundpool.messaging.microsoft.com (157.54.51.114) by mail.microsoft.com (157.54.80.67) with Microsoft SMTP Server (TLS) id 14.2.318.3; Thu, 27 Dec 2012 22:57:40 +0000
Received: from mail30-co1-R.bigfish.com (10.243.78.197) by CO1EHSOBE015.bigfish.com (10.243.66.78) with Microsoft SMTP Server id 14.1.225.23; Thu, 27 Dec 2012 22:57:40 +0000
Received: from mail30-co1 (localhost [127.0.0.1]) by mail30-co1-R.bigfish.com (Postfix) with ESMTP id 76AED7400BB for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 27 Dec 2012 22:57:40 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -19
X-BigFish: PS-19(zz98dI9371Id6eah936eIc85fh1418Izz1de0h1202h1e76h1d1ah1d2ah1082kzz8275bh8275dh1033IL18c673h17326ahz31h2a8h668h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h9a9j1155h)
Received-SPF: softfail (mail30-co1: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT003.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB044; LANG:en;
Received: from mail30-co1 (localhost.localdomain [127.0.0.1]) by mail30-co1 (MessageSwitch) id 1356649058313039_10900; Thu, 27 Dec 2012 22:57:38 +0000 (UTC)
Received: from CO1EHSMHS005.bigfish.com (unknown [10.243.78.199]) by mail30-co1.bigfish.com (Postfix) with ESMTP id 494D6900108; Thu, 27 Dec 2012 22:57:38 +0000 (UTC)
Received: from BL2PRD0310HT003.namprd03.prod.outlook.com (157.56.240.21) by CO1EHSMHS005.bigfish.com (10.243.66.15) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 27 Dec 2012 22:57:38 +0000
Received: from BY2PR03MB044.namprd03.prod.outlook.com (10.255.241.148) by BL2PRD0310HT003.namprd03.prod.outlook.com (10.255.97.38) with Microsoft SMTP Server (TLS) id 14.16.245.2; Thu, 27 Dec 2012 22:57:36 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BY2PR03MB044.namprd03.prod.outlook.com (10.255.241.148) with Microsoft SMTP Server (TLS) id 15.0.586.12; Thu, 27 Dec 2012 22:57:28 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.7.160]) by BY2PR03MB041.namprd03.prod.outlook.com ([169.254.7.160]) with mapi id 15.00.0586.000; Thu, 27 Dec 2012 22:57:10 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Mike Jones <Michael.Jones@microsoft.com>
Thread-Topic: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
Thread-Index: AQHN5DacwwSjS5JJ1UC2BfUMbk4WcZgtQmMA
Date: Thu, 27 Dec 2012 22:57:09 +0000
Message-ID: <8b1f49ba29404f349af3dc3abb2878e4@BY2PR03MB041.namprd03.prod.outlook.com>
References: <4E1F6AAD24975D4BA5B1680429673943669A88C1@TK5EX14MBXC283.redmond.corp.microsoft.com> <CE2FF7F1-C630-49E1-A942-C1CEB8ACF93E@ve7jtb.com>
In-Reply-To: <CE2FF7F1-C630-49E1-A942-C1CEB8ACF93E@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.46.126.7]
Content-Type: multipart/alternative; boundary="_000_8b1f49ba29404f349af3dc3abb2878e4BY2PR03MB041namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT003.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%VE7JTB.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC107.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC107.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377424002)(377454001)(51444002)(24454001)(54356001)(53806001)(31966008)(74662001)(54316002)(51856001)(512954001)(49866001)(550184003)(56816002)(47736001)(47976001)(76482001)(4396001)(47446002)(77982001)(50986001)(6806001)(74502001)(15202345001)(16236675001)(56776001)(44976002)(16676001)(5343655001)(33646001)(46102001)(59766001)(5343635001)(42262001)(24736002)(550254004); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB009; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 07083FF734
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Dec 2012 22:58:19 -0000
What do you mean by multi-valued and what are the semantics of multi-vale ? From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley Sent: Thursday, December 27, 2012 5:32 AM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI? Agreed. We need to clarify that the value of the audience claim can be multi valued as well. John B. On 2012-12-26, at 10:43 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote: http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently says: Audience A URI that identifies the party intended to process the assertion. The audience SHOULD be the URL of the Token Endpoint as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>]. I think that "URI" should be changed to "value", since audience values in general need not be URIs. In particular, in some contexts OAuth client_id values are used as audience values, and they need not be URIs. Also, SAML allows multiple audiences (and indeed, the OAuth SAML profile is written in terms of "an audience value" - not "the audience value"), and so the generic Assertions spec should do likewise. Thus, I would propose changing the text above to the following: Audience A value that identifies the parties intended to process the assertion. An audience value SHOULD be the URL of the Token Endpoint as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>]. -- Mike _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Must the Audience value in the Asserti… Mike Jones
- Re: [OAUTH-WG] Must the Audience value in the Ass… Torsten Lodderstedt
- Re: [OAUTH-WG] Must the Audience value in the Ass… John Bradley
- Re: [OAUTH-WG] Must the Audience value in the Ass… Brian Campbell
- Re: [OAUTH-WG] Must the Audience value in the Ass… Anthony Nadalin
- Re: [OAUTH-WG] Must the Audience value in the Ass… Anthony Nadalin
- Re: [OAUTH-WG] Must the Audience value in the Ass… John Bradley
- Re: [OAUTH-WG] Must the Audience value in the Ass… Brian Campbell
- Re: [OAUTH-WG] Must the Audience value in the Ass… John Bradley