Closed independentid closed 6 months ago
FragLegs
commented
10 months ago This is a good call out. It used to be that the Transmitter knew the Aud based on the bearer token. But I think the recent changes we've been discussing about decoupling SSF from OAuth means that we should make Aud a Receiver-supplied value.
FragLegs
commented
10 months ago Iss, on the other hand, is always known by the transmitter, and should remain a Transmitter-supplied value
independentid
commented
10 months ago An SSF server may have multiple event sources behind it. By not having iss configurable, the SSF server would have to re-publish (ie sign) each event. This would also make it harder (as in non-standard) for the receiver to select which sources it wants.
appsdesh
commented
9 months ago As we decouple OAuth from SSF, we will need receiver to indicate what the aud claim should be in the SETs. Making this as a must have field in the stream create request. It also makes sense to add it in the update request
tulshi
commented
9 months ago Issue #30 is related to this.
An SSF server may have events from multiple publishers and support multiple receivers.
In particular, without an Aud parameter how does the server know who it is sending to? If not supplied, how is Aud calculated for the response?
My use cases require iss and aud parameters in addition to events requested.