search

ace-wg / ace-oscore-profile

Other
0 stars 3 forks source link

Section 4.1 defines a new encoding of the access token sent to authz-info #14

Closed LudwigSeitz closed 5 years ago

LudwigSeitz commented 5 years ago

Currently the framework's intention is that the access token is sent to the authz-info endpoint without any "wrapper". Section 4.1 here requires the client to wrap the access token into a map and use the "access_token" key to identify it. This difference should be made clear in the profile.

fpalombini commented 5 years ago

Good point, thank you for bringing this up, as I had missed this.

Should the access token really be sent without the map wrapping it? I don't see that detail in the framework. Also, if we talk about CWT for example, RFC8392 does not define the CWT without the map, on the contrary, to build the CWT the first step is to

Create a CWT Claims Set containing the desired claims.

Which is a CBOR map. (See https://tools.ietf.org/html/rfc8392#section-7.1)

Anyway, I don't see the text in the OSCORE profile that says that the access token MUST be wrapped in a CBOR map, it says to use whatever token the AS wants to use. I think here we are doing the same, so I'm not really sure on how to improve the text.

jimsch commented 5 years ago

The map being referred to here is not the wrapper on the CWT but the application/ace+cbor map that is being used in this profile.

fpalombini commented 5 years ago

Ok, then it's something else.

It seems to me that's always as this content format is used, also in the framework. If the content is application/ace+cbor then the payload is a CBOR map. And in this section we are explicitly saying:

The client MUST use the Content-Format "application/ace+cbor" defined in section 8.14 of [I-D.ietf-ace-oauth-authz].

Not sure what else to add.

LudwigSeitz commented 5 years ago

No the framework does not wrap the access token (be it a CWT or something else) in an additional CBOR map.

Fw: client -> RS/authz-info: POST payload: bytes of the access token

OSCORE-Profile: client -> RS/authz-info: POST payload (CBOR): { "access_token" : bytes of the access token}

It is this difference I want explicitly stated in the profile (also to punish you for all the programming pain it caused me ;-) )

fpalombini commented 5 years ago

Ok, I think I got it. I will add a sentence to note this difference. Sorry about the pain, it was not the goal! 😄