Hello, To bring a different view, I wanted to mention Kantara UMA (User Managed Access) approach to this problem. (I participated in the UMA v2.0 development this year, so had the chance to be more familiar with the new drafts.)
In UMA, the resource server must respond to a client's tokenless (unauthorized) access attempt by obtaining a permission ticket from the authorization server. If RS is able to obtain a permission ticket from the AS, RS returns this ticket to the client also with the AS uri to aid AS discovery. UMA handles resources (resource sets, permissions etc.) differently but the permission requests (from RS to AS) can be considered as signaling to the AS what audience/scope RS expects. In ACE, there are limitations of course - i.e., RS may not always reach AS etc. Nevertheless, it may be useful to think how other groups approach similar problems. Best, --Cigdem On Mon, Oct 23, 2017 at 2:38 PM, Ludwig Seitz <ludwig.se...@ri.se> wrote: > Hello ACE, > > Jim Schaad has brought up an interesting question [1] on > draft-ietf-ace-oauth-authz [2]: > > Currently when a client makes an unauthorized request to a resource > server, it gets back the address of the authorization server and optionally > a nonce (to prevent replay attacks). > > Jim is suggesting to add hints to the audience and scope the resource > server expects for accessing this resource. > > I'm not sure whether that would not reveal too much information to a > potential attacker. > > What does the group think of this issue? > > /Ludwig > > > [1] https://github.com/ace-wg/ace-oauth/issues/124 > [2] https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-08#se > ction-5.1.2 > -- > Ludwig Seitz, PhD > Security Lab, RISE SICS > Phone +46(0)70-349 92 51 > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace >
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace