Terminology: "relying party" vs. "client"

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs

https://oauth.net/2.1/

Other

53 stars 27 forks source link

Terminology: "relying party" vs. "client" #169

Open SECtim opened 9 months ago

SECtim commented 9 months ago

In some places, the term "relying party" is used instead of "client":

https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L2820-L2822

https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L2578-L2582

aaronpk commented 1 week ago

@dickhardt this sentence is from RFC6750, but the terminology seems to conflict with modern uses of "audience restricted access tokens". Do you remember what this was intended to mean?

Issue scoped bearer tokens: Token servers SHOULD issue bearer tokens that contain an audience restriction, scoping their use to the intended relying party or set of relying parties.

dickhardt commented 1 week ago

In practice this is the 'aud' claim in a JWT -- but since 6750 does not specify a token format, this is guidance that the token should indicate who the audience is

The phrase "issue scoped bearer tokens" is confusing as it is conflating scopes with audience

Can you point me to what you mean by 'modern uses of "audience restricted access tokens"'

dickhardt commented 1 week ago

Also, In the case of 6750 as this is an access token, replying party is referring to the resource server, not the client.