Hi Ludwig, the issue is that folks in the OAuth group have defined two parameters, namely resource (for URIs) and audience (for logical names), and in ACE there is only one doing both.
To me this appears to be sub-optimal to have different ways to accomplish the same goal just based on the protocol the information is exchanged. Which route is better? I don't care. Ciao Hannes -----Original Message----- From: Ludwig Seitz <ludwig.se...@ri.se> Sent: Donnerstag, 7. Februar 2019 16:29 To: Hannes Tschofenig <hannes.tschofe...@arm.com>; ace@ietf.org; oa...@ietf.org Subject: Re: [OAUTH-WG] [Ace] Shepherd write-up for draft-ietf-oauth-resource-indicators-01 On 07/02/2019 16:15, Hannes Tschofenig wrote: > Hi Ludwig, > >> My interpretation of this is that "resource" refers to a single resource > > No. Here is the text from token exchange (see last sentence): > > resource [...] > Multiple "resource" parameters may be used to indicate > that the issued token is intended to be used at the multiple > resources listed. > Enumerating the audience is not the same as addressing it by a group name. I agree that without too much stretching of the definition of the resource parameter I could use URIs as group identifiers, however the audience claim is defined to be "StringOrURI" so if someone defines an audience identified by a String that is not an URI how does a client ask for that with the resource parameter? Or in short: Why don't you make your resource parameter mirror the "aud" claim? /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51 IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
