audience REQUIRED for just one trust domain? #63
Comments
|
So, with the move to bind the What is the benefit of making the |
Mostly brevity reasons. Also, if it is defined as REQUIRED, it will be enforced by 3rd party libraries which a company might want to integrate in their components/services. This essentially forces the company (albeit using Txn-Tokens within their trust domain only internally) to define and set the aud claim without added benefit. Having aud REQUIRED also implies that the value needs to be validated somehow. I think this aspect should be mentioned in the spec, if it is really required. So every Token service must have the audience parameter validated as well as every service/worker receiving a Txn-Token must validate the aud claim against a configured accepted value (or list of values). |
|
I think |
|
Closing as per discussion in meeting on 2/2/24: https://hackmd.io/@rpc-sec-wg/Hk0ggi5ca |
This issue is somewhat related to the aud claim comment I made earlier via mail to the authors.
The spec states that audience parameter is REQUIRED in the Txn-Token request. It contains the trust domain. To my understanding, every trust domain has a single (logical) Txn-Service. A Txn-Service is usually configured to only issue Txn-Tokens to one and only one trust domain. Also the authenticating clients which the Txn-Service accepts in incoming requests are part of that trust domain. After all, they have been registered within that trust domain. It might be possible that the Txn-Service is used in multiple trust domains. In those scenarios I fully agree that the audience parameter is REQUIRED. My guess is, though, that the most deployed setup will incorporate a single trust domain.
The text was updated successfully, but these errors were encountered: