From 9702f2b2663d447c0efbc241a1baf22317c72af9 Mon Sep 17 00:00:00 2001 From: Vittorio Bertocci Date: Mon, 21 Jan 2019 14:32:26 -0800 Subject: [PATCH 1/5] Update draft-ietf-oauth-resource-indicators.xml Quick edits --- draft-ietf-oauth-resource-indicators.xml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/draft-ietf-oauth-resource-indicators.xml b/draft-ietf-oauth-resource-indicators.xml index 38e01b3..9238034 100644 --- a/draft-ietf-oauth-resource-indicators.xml +++ b/draft-ietf-oauth-resource-indicators.xml @@ -45,7 +45,7 @@ An extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client - to explicitly signal to an authorization server about the location of the protected + to explicitly signal to an authorization server about the identity of the protected resource(s) to which it is requesting access. @@ -87,7 +87,7 @@ typically about what access is being requested rather than where that access will be redeemed (e.g. email, admin:org, user_photos, channels:read, and channels:write are a small sample of scope - values in use in the wild that convey only the type of access and not the location). + values in use in the wild that convey only the type of access and not the location or identity). In some circumstances and for some deployments, a means for the client to signal to the authorization server where it @@ -137,11 +137,14 @@ - Indicates the location of the target service or + Indicates the identifier of the target service or resource where access is being requested. Its value MUST be an absolute URI, as specified by Section 4.3 of , which MAY include a query component but MUST NOT include a fragment component. + The URI MAY correspond to the network addressable endpoint where the target resource is hosted. + Alternatively, the URI MAY also represent an abstract identifier that does not correspond to a network addressable endpoint. + See the Security Considerations section for more details about the security implications of the two approaches. Multiple resource parameters MAY be used to indicate @@ -149,8 +152,9 @@ - The parameter value indicates the location of a protected resource, typically as an https URL, - where the client is requesting access. This enables the authorization server to apply policy as appropriate + The parameter value identifies a resource to which the client is requesting access. + The parameter can carry the location of a protected resource, typically as an https URL, or an abstract identifier. + This enables the authorization server to apply policy as appropriate for the resource, such as determining the type and content of tokens to be issued, if and how tokens are encrypted, and applying appropriate audience restrictions. @@ -194,7 +198,7 @@
- When the resource parameter is used in an authorization request to the authorization endpoint, it indicates the location of + When the resource parameter is used in an authorization request to the authorization endpoint, it indicates the identity of the protected resource(s) to which access is being requested. When an access token will be returned directly from the authorization endpoint via the implicit flow (Section 4.2 of OAuth 2.0), the requested resource is applicable to that access token. In the code flow (Section 4.1 of OAuth 2.0) where an @@ -408,6 +412,14 @@ is needed when using access tokens with multiple audiences. Furthermore an authorization server may be unwilling or unable to fulfill a token request with multiple resources. + + Whenever feasible, the resource parameter + should correspond to the network addressable location of the protected resource. + This makes it possible for the client to validate that the resource being requested controls the corresponding + network location, reducing the risk of malicious endpoints obtaining tokens meant for other resources. + If the resource parameter contains an abstract identifier, it is the client's + responsibility to validate out of band that any network endpoint to which tokens are sent are the intended audience for that identifier. +
From df43cbdf90ae317e9c873286c52affab5c1e7021 Mon Sep 17 00:00:00 2001 From: Brian Campbell Date: Wed, 23 Jan 2019 05:19:03 -0700 Subject: [PATCH 2/5] add Vittorio to Acknowledgements --- draft-ietf-oauth-resource-indicators.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/draft-ietf-oauth-resource-indicators.xml b/draft-ietf-oauth-resource-indicators.xml index 9238034..cbf1fd8 100644 --- a/draft-ietf-oauth-resource-indicators.xml +++ b/draft-ietf-oauth-resource-indicators.xml @@ -505,6 +505,7 @@ individuals contributed ideas, feedback, and wording that helped shape this specification: + Vittorio Bertocci, Sergey Beryozkin, William Denniss, Vladimir Dzhuvinov, From 7894b679abec68e94961d127324f39f64b45b990 Mon Sep 17 00:00:00 2001 From: Brian Campbell Date: Wed, 23 Jan 2019 05:59:30 -0700 Subject: [PATCH 3/5] Add to Document History: Clarify that the value of the "resource" parameter can be an abstract identifier for the resource as well as network addressable location --- draft-ietf-oauth-resource-indicators.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-oauth-resource-indicators.xml b/draft-ietf-oauth-resource-indicators.xml index cbf1fd8..6d428e3 100644 --- a/draft-ietf-oauth-resource-indicators.xml +++ b/draft-ietf-oauth-resource-indicators.xml @@ -531,7 +531,7 @@ draft-ietf-oauth-resource-indicators-02 - + Clarify that the value of the "resource" parameter can be an abstract identifier for the resource as well as network addressable location. From 862f1944f4aada57dd7354c18ca9e3f14dfa2df1 Mon Sep 17 00:00:00 2001 From: Brian Campbell Date: Wed, 23 Jan 2019 06:02:55 -0700 Subject: [PATCH 4/5] be less specific about location in the Access Token Request section --- draft-ietf-oauth-resource-indicators.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-oauth-resource-indicators.xml b/draft-ietf-oauth-resource-indicators.xml index 6d428e3..195586b 100644 --- a/draft-ietf-oauth-resource-indicators.xml +++ b/draft-ietf-oauth-resource-indicators.xml @@ -272,7 +272,7 @@ When the resource parameter is used on an access token request made to the token endpoint, - for all grant types, it indicates the location of the target service or protected resource where the client intends to use + for all grant types, it indicates the target service or protected resource where the client intends to use the requested access token. From e3ff05c02cca486c8d474adab1a4658b08d21b68 Mon Sep 17 00:00:00 2001 From: Brian Campbell Date: Wed, 23 Jan 2019 06:14:35 -0700 Subject: [PATCH 5/5] reword the resource parameter text a bit --- draft-ietf-oauth-resource-indicators.xml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/draft-ietf-oauth-resource-indicators.xml b/draft-ietf-oauth-resource-indicators.xml index 195586b..9968fa3 100644 --- a/draft-ietf-oauth-resource-indicators.xml +++ b/draft-ietf-oauth-resource-indicators.xml @@ -137,14 +137,13 @@ - Indicates the identifier of the target service or + Indicates the target service or resource where access is being requested. Its value MUST be an absolute URI, as specified by Section 4.3 of , which MAY include a query component but MUST NOT include a fragment component. - The URI MAY correspond to the network addressable endpoint where the target resource is hosted. - Alternatively, the URI MAY also represent an abstract identifier that does not correspond to a network addressable endpoint. - See the Security Considerations section for more details about the security implications of the two approaches. + The URI MAY correspond to a network addressable location where the target resource is hosted or + it MAY be an abstract identifier representing the identity of the resource. Multiple resource parameters MAY be used to indicate