andrewbonney
commented
4 years ago One potential reason to use absolute URIs is the applicability to https://tools.ietf.org/html/rfc8707 which may form an extension to the spec in the future.
Closed andrewbonney closed 4 years ago
andrewbonney
commented
4 years ago One potential reason to use absolute URIs is the applicability to https://tools.ietf.org/html/rfc8707 which may form an extension to the spec in the future.
andrewbonney
commented
4 years ago Another reason a clarification here is important is that a URI may imply a port number (for example https -> 443) and/or a path. We should be clear on whether this is intended or not. Different implementations may operate on different ports so my suspicion is that we should explicitly note that 'aud' conveys hostname (and potentially protocol) only.
The docs hint that wildcarded domains should be used, but the examples include absolute URIs (with a protocol/scheme): https://github.com/AMWA-TV/nmos-authorization/blob/v1.0-dev/docs/4.4.%20Behaviour%20-%20Access%20Tokens.md#aud
In order to match the 'URI' part of StringOrURI I believe the protocol is required, but we may choose not to match that. Either way it needs to be clear what format resource servers should expect to find in the 'aud' key.
If for any reason we permitted two 'aud' formats, the testing tool should be updated to test for handling of both.