andrewbonney
commented
4 years ago I've had another go at this in a second commit (which could be squashed with the first). This better matches what was already required for resource servers.
Closed andrewbonney closed 4 years ago
andrewbonney
commented
4 years ago I've had another go at this in a second commit (which could be squashed with the first). This better matches what was already required for resource servers.
Resolves #57
This is currently a little in conflict with https://github.com/AMWA-TV/nmos-authorization/blob/v1.0-dev/docs/4.5.%20Behaviour%20-%20Resource%20Servers.md#public-keys - this document assumes that any public keys used in the system are available from any Authorization Server. Ideally we don't want Resource Servers to have to make requests to every Authorization Server as this makes the function of the 'pri' TXT record somewhat redundant.
One alternative would be to keep the Resource Server docs the same, but to re-word the issuer text such that Resource Servers MAY use the issuer to identify the correct public key to use if they don't already have one that works. This still encourages all Authorization Servers to host each other's public keys, but protects against misconfiguration where a key is missing from one of them. There is then no requirement for a Resource Server to contact an Issuer unless it fails to perform token signature validation.