Port number for issuer

[lo-simon]

Where a Resource Server has no matching public key for a given token, it SHOULD attempt to obtain the missing public key via the the token iss claim as specified in RFC 8414 section 3. In cases where the Resource Server needs to fetch a public key from a remote Authorization Server it MAY temporarily respond with an HTTP 503 code in order to avoid blocking the incoming authorized request.

As iss claim does not providing the port number, where can it be obtained? Or Authorization Server should always be assigned to port 443.

[garethsb]

I thought the iss claim should be a URL like <api_proto>://<hostname>:<port>[/<api_selector>]. (The port may be omitted in which case the protocol specifies the default port, e.g. HTTPS = 443.)

Is that not the case?

[garethsb]

https://github.com/AMWA-TV/nmos-authorization/blob/v1.0-dev/docs/4.4.%20Behaviour%20-%20Access%20Tokens.md#iss

[lo-simon]

So Authorization Server MUST already be on port 443

[garethsb]

Yes if it's omitted (and you're not doing something quirky with a protocol other than HTTPS)!

[garethsb]

There are some things that may need fixing however... though the spec link above says "MUST be a uri", the example https://github.com/AMWA-TV/nmos-authorization/blob/v1.0-dev/examples/access_token.json has a hostname only, and the schema https://github.com/AMWA-TV/nmos-authorization/blob/v1.0-dev/APIs/schemas/token_schema.json description has only the looser StringOrURI requirement from RFC 7519 Section 4.1.1.

[peterbrightwell]

Can be closed as PR #80 merged during today's meeting