[Discovery fearture] Is `issuer` the right attribute in the Metadata document?

[identitymonk]

I open this issue on behalf of @baboulebou following WG meeting of April 22nd.

Proposal for PDP metadata document includes the following attribute:

issuer:

    REQUIRED. The policy decision point's issuer identifier, which is a URL that
uses the "https" scheme and has no query or fragment components. Policy
Decision Point metadata is published at a location that is ".well-known" according
to [[RFC5785](l#RFC5785)] derived from this issuer identifier, as described in
[Section 11.2](#pdp-metadata-access). The issuer identifier is used to prevent
policy decision point mix-up attacks.

This is an outcome of basing this proposal on OAuth 2.0 Authorization Server Metadata and OAuth 2.0 Protected Resource Metadata.

The discussion here is: is issuer the right attribute name knowing that its definition will require a IANA registration.

[identitymonk]

I agree that issuer is not the right attribute name in this case.

New proposal can be:

• server
• pdp
• policy_decision_point

[baboulebou]

policy_decision_point seems specific and appropriate. server could be vague.

[identitymonk]

@baboulebou I think my final proposal will revert to resource to be fully compliant with OAuth 2.0 Protected Resource Metadata which is RFC9728 since last night.

This is justified by the fact that:

• AuthZEN compliant PDP endpoint is a protected resource
• This leaves less IANA registration to do

@ogazitt , thoughts?

[baboulebou]

"Resource" has a specific semantic and meaning for AuthZEN: it's part of the payload! We can't confuse the PDP itself with the resources it manages. What's wrong with the policy_decision_point ?? Also AuthZEN is a different spec from RFC9728, I think it's quite alright to define our own config data. Different servers will use this, the AS != PDP.

[identitymonk]

RFC9728 is Resource Provider Metadata not AS Metadata @baboulebou

That was a last call sanity check. Will go with policy_decision_point.

What's wrong with the policy_decision_point ??

more IANA registration. I was just making a proposal to prevent more of this. I understand you confirmed you want to got there.

[ogazitt]

I agree with policy_decision_point since the metadata pertains not to an issuer nor to a protected resource, but to a PDP.

[identitymonk]

This is in the PR now, you can merge @ogazitt