Discussion:
[OAUTH-WG] PoP, Introspection and ACE
Samuel Erdtman
2016-04-16 22:42:28 UTC
Permalink
Hi,

I'm working on the IANA section in
https://tools.ietf.org/html/draft-ietf-ace-oauth-authz.

In https://tools.ietf.org/html/draft-ietf-ace-oauth-authz we want to have
the option to get the PoP parameters (alg, key and aud) via introspection
e.g. if using a reference token.

At the moment I wrote the registration text of the parameters in the ACE
specification but I think it would be preferable if
https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution did the
registration for introspection too.

Comments?

//Samuel
John Bradley
2016-04-16 23:23:19 UTC
Permalink
It is probably best to register “cnf” to match RFC 7600 so we don’t have two different structures one for JWT/CWT and one for introspection.

On the other hand introspected tokens are generally relatively custom in what claims they pass.

I will discuss it with Hannes.

John B.
Hi,
I'm working on the IANA section in https://tools.ietf.org/html/draft-ietf-ace-oauth-authz <https://tools.ietf.org/html/draft-ietf-ace-oauth-authz>.
In https://tools.ietf.org/html/draft-ietf-ace-oauth-authz <https://tools.ietf.org/html/draft-ietf-ace-oauth-authz> we want to have the option to get the PoP parameters (alg, key and aud) via introspection e.g. if using a reference token.
At the moment I wrote the registration text of the parameters in the ACE specification but I think it would be preferable if https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution> did the registration for introspection too.
Comments?
//Samuel
_______________________________________________
Ace mailing list
https://www.ietf.org/mailman/listinfo/ace
Samuel Erdtman
2016-04-23 23:00:01 UTC
Permalink
Thanks John for your reply, have you had time to discuss a way forward with
Hannes.

I agree we should absolutely register cnf in introspection to go inline
with RFC 7800.

Since RFC 7800 is done it might be preferable to do the registration in the
ACE specification that is the specification that needs it.

//Samuel
Post by John Bradley
It is probably best to register “cnf” to match RFC 7600 so we don’t have
two different structures one for JWT/CWT and one for introspection.
On the other hand introspected tokens are generally relatively custom in
what claims they pass.
I will discuss it with Hannes.
John B.
Hi,
I'm working on the IANA section in
https://tools.ietf.org/html/draft-ietf-ace-oauth-authz.
In https://tools.ietf.org/html/draft-ietf-ace-oauth-authz we want to have
the option to get the PoP parameters (alg, key and aud) via introspection
e.g. if using a reference token.
At the moment I wrote the registration text of the parameters in the ACE
specification but I think it would be preferable if
https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution did the
registration for introspection too.
Comments?
//Samuel
_______________________________________________
Ace mailing list
https://www.ietf.org/mailman/listinfo/ace
Loading...