Added references to protected resource metadata

appsdesh · appsdesh · commit b585ac8418d0 · 2023-08-17T17:48:51.000-07:00
diff --git a/openid-sharedsignals-framework-1_0.md b/openid-sharedsignals-framework-1_0.md
@@ -140,6 +140,17 @@ normative:
     date: May 2021
     target: https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers
     title: Subject Identifiers for Security Event Tokens
+  PROTECTEDSERVERMETADATA:
+    author:
+    - ins: M.B. Jones
+      name: Michael B. Jones
+    - ins: P. Hunt
+      name: Phil Hunt
+    - ins: A. Parecki
+      name: Aaron Parecki
+    date: July 2023
+    target: https://datatracker.ietf.org/doc/html/draft-jones-oauth-resource-metadata-04#name-protected-resource-metadata
+    title: OAuth 2.0 Protected Resource Metadata
 
 informative:
   CAEP:
@@ -538,9 +549,36 @@ critical_subject_members
 > OPTIONAL. An array of member names in a Complex Subject which, if present in
   a Subject Member in an event, MUST be interpreted by a Receiver.
 
+authorizationSchemes
+
+> OPTIONAL. A multi-valued complex type that specifies supported
+  authorization scheme properties defined in {{authorization-scheme}}.  To enable seamless discovery of
+  configurations, the service provider SHOULD, with the appropriate
+  security considerations, make the authorizationSchemes attribute
+  publicly accessible without prior authentication.
+
+
 TODO: consider adding a IANA Registry for metadata, similar to Section 7.1.1 of
 {{RFC8414}}. This would allow other specs to add to the metadata.
 
+### Authorization scheme {#authorization-scheme}
+Authorization scheme used by the receiver to authorize with the Transmitter's management API for SET event stream. 
+
+type
+
+> The authorization scheme.  This specification defines the values "oauth", "oauth2",
+    "oauthbearertoken" REQUIRED.
+
+The receiver will call the transmitter APIs by providing appropriate credentials as mentioned in the type.
+
+
+If the Authorization scheme is OAuth2 
+- The Transmitter SHOULD publish Protected Server Metadata {{PROTECTEDSERVERMETADATA}} to aid the discovery of metadata needed to interact with an OAuth 2.0 protected resource.
+- Discovery of the Protected Server Metadata {{PROTECTEDSERVERMETADATA}} is outside the scope of this specification.
+- The receiver may obtain an access token using the Client
+Credential Grant {{CLIENTCRED}}, or any other method suitable for the Receiver and the
+Transmitter.
+
 ## Obtaining Transmitter Configuration Information
 
 Using the Issuer as documented by the Transmitter, the Transmitter Configuration
@@ -637,8 +675,10 @@ Content-Type: application/json
     "https://tr.example.com/ssf/mgmt/subject:remove",
   "verification_endpoint":
     "https://tr.example.com/ssf/mgmt/verification",
-  "critical_subject_members": [ "tenant", "user" ]
-  ]
+  "critical_subject_members": [ "tenant", "user" ],
+  "authenticationSchemes": {
+    "type": "oauth2"
+  }
 }
 ~~~
 {: #figdiscoveryresponse title="Example: Transmitter Configuration Response"}
@@ -1834,14 +1874,6 @@ subject
 ~~~
 {: title="Example: Stream Updated SET with stream as the subject of single-stream Transmitter" #figstreamupdatedstreamset}
 
-# Authorization {#management-api-auth}
-HTTP API calls from a Receiver to a Transmitter SHOULD be authorized by
-providing an OAuth 2.0 Access Token as defined by {{RFC6750}}.
-
-The receiver may obtain an access token using the Client
-Credential Grant {{CLIENTCRED}}, or any other method suitable for the Receiver and the
-Transmitter.
-
 # Security Considerations {#management-sec}
 
 ## Subject Probing {#management-sec-subject-probing}
