rfc9767v1.txt   rfc9767.txt 
skipping to change at line 243 skipping to change at line 243
The access token is issued by the AS as defined in [GNAP]. The AS The access token is issued by the AS as defined in [GNAP]. The AS
will need to identify itself in order to allow an RS to recognize will need to identify itself in order to allow an RS to recognize
tokens that the AS has issued, particularly in cases where tokens tokens that the AS has issued, particularly in cases where tokens
from multiple different ASs could be presented to the same RS. from multiple different ASs could be presented to the same RS.
This information is not usually conveyed directly to the client This information is not usually conveyed directly to the client
instance, since the client instance should know this information instance, since the client instance should know this information
based on where it receives the token from. based on where it receives the token from.
In a [JWT] formatted token or a token introspection response, this In the payload of a JSON Web Token [JWT] or a token introspection
corresponds to the iss claim. response, this corresponds to the iss claim.
2.1.3. Audience 2.1.3. Audience
The access token is intended for use at one or more RSs. The AS can The access token is intended for use at one or more RSs. The AS can
list a token's intended RSs to allow each RS to ensure that the RS is list a token's intended RSs to allow each RS to ensure that the RS is
not receiving a token intended for someone else. The AS and RS have not receiving a token intended for someone else. The AS and RS have
to agree on the nature of any audience identifiers represented by the to agree on the nature of any audience identifiers represented by the
token, but the URIs of the RS are a common pattern. token, but the URIs of the RS are a common pattern.
In a [JWT] formatted token or token introspection response, this In the payload of a JSON Web Token [JWT] or token introspection
corresponds to the aud claim. response, this corresponds to the aud claim.
In cases where more complex access is required, the location field of In cases where more complex access is required, the location field of
objects in the access array can also convey audience information. In objects in the access array can also convey audience information. In
such cases, the client instance might need to know the audience such cases, the client instance might need to know the audience
information in order to differentiate between possible RSs to present information in order to differentiate between possible RSs to present
the token to. the token to.
2.1.4. Key Binding 2.1.4. Key Binding
Access tokens in GNAP are bound to the client instance's registered Access tokens in GNAP are bound to the client instance's registered
skipping to change at line 300 skipping to change at line 300
or digest algorithm. If such information is not included with the or digest algorithm. If such information is not included with the
proofing key, an attacker could present a token with a seemingly proofing key, an attacker could present a token with a seemingly
valid key using an insecure and incorrect proofing mechanism. valid key using an insecure and incorrect proofing mechanism.
This value is conveyed to the client instance in the key field of the This value is conveyed to the client instance in the key field of the
access_token response in Section 3.2 of [GNAP]. Since the common access_token response in Section 3.2 of [GNAP]. Since the common
case is that the token is bound to the client instance's registered case is that the token is bound to the client instance's registered
key, this field can be omitted in this case since the client will be key, this field can be omitted in this case since the client will be
aware of its own key. aware of its own key.
In a [JWT] formatted token, this corresponds to the cnf In the payload of a JSON Web Token [JWT], this corresponds to the cnf
(confirmation) claim. In a token introspection response, this (confirmation) claim. In a token introspection response, this
corresponds to the key claim. corresponds to the key claim.
In the case of a bearer token, all parties need to know that a token In the case of a bearer token, all parties need to know that a token
has no key bound to it and will therefore reject any attempts to use has no key bound to it and will therefore reject any attempts to use
the bearer token with a key in an undefined way. the bearer token with a key in an undefined way.
2.1.5. Flags 2.1.5. Flags
GNAP access tokens can have multiple associated data flags that GNAP access tokens can have multiple associated data flags that
skipping to change at line 366 skipping to change at line 366
within an hour of a token's issuance, but only within five minutes of within an hour of a token's issuance, but only within five minutes of
the token's issuance for certain high-value calls. the token's issuance for certain high-value calls.
Since access tokens could be revoked at any time for any reason Since access tokens could be revoked at any time for any reason
outside of a client instance's control, the client instance often outside of a client instance's control, the client instance often
does not know or concern itself with the validity time window of an does not know or concern itself with the validity time window of an
access token. However, this information can be made available to it access token. However, this information can be made available to it
by using the expires_in field of an access token response; see by using the expires_in field of an access token response; see
Section 3.2 of [GNAP]. Section 3.2 of [GNAP].
The issuance time of the token is conveyed in the iat claim of a The issuance time of the token is conveyed in the iat claim in the
[JWT] formatted token or a token introspection response. payload of a JSON Web Token [JWT] or a token introspection response.
The expiration time of a token, after which it is to be rejected, is The expiration time of a token, after which it is to be rejected, is
conveyed in the exp claim of a [JWT] formatted token or a token conveyed in the exp claim in the payload of a JSON Web Token [JWT] or
introspection response. a token introspection response.
The starting time of a token's validity window, before which it is to The starting time of a token's validity window, before which it is to
be rejected, is conveyed in the nbf claim of a [JWT] formatted token be rejected, is conveyed in the nbf claim in the payload of a JSON
or a token introspection response. Web Token [JWT] or a token introspection response.
2.1.8. Token Identifier 2.1.8. Token Identifier
Individual access tokens often need a unique internal identifier to Individual access tokens often need a unique internal identifier to
allow the AS to differentiate between multiple separate tokens. This allow the AS to differentiate between multiple separate tokens. This
value of the token can often be used as the identifier, but in some value of the token can often be used as the identifier, but in some
cases, a separate identifier is used. cases, a separate identifier is used.
This separate identifier can be conveyed in the jti claim of a [JWT] This separate identifier can be conveyed in the jti claim in the
formatted token or a token introspection response. payload of a JSON Web Token [JWT] or a token introspection response.
This identifier is not usually exposed to the client instance using This identifier is not usually exposed to the client instance using
the token, because the client instance only needs to use the token by the token, because the client instance only needs to use the token by
value. value.
2.1.9. Authorizing Resource Owner 2.1.9. Authorizing Resource Owner
Access tokens are approved on behalf of a resource owner (RO). The Access tokens are approved on behalf of a resource owner (RO). The
identity of this RO can be used by the RS to determine exactly which identity of this RO can be used by the RS to determine exactly which
resource to access or which kinds of access to allow. For example, resource to access or which kinds of access to allow. For example,
an access token used to access identity information can hold a user an access token used to access identity information can hold a user
identifier to allow the RS to determine which profile information to identifier to allow the RS to determine which profile information to
return. The nature of this information is subject to agreement by return. The nature of this information is subject to agreement by
the AS and RS. the AS and RS.
This corresponds to the sub claim of a [JWT] formatted token or a This corresponds to the sub claim in the payload of a JSON Web Token
token introspection response. [JWT] or a token introspection response.
Detailed RO information is not returned to the client instance when Detailed RO information is not returned to the client instance when
an access token is requested alone, and in many cases, returning this an access token is requested alone, and in many cases, returning this
information to the client instance would be a privacy violation on information to the client instance would be a privacy violation on
the part of the AS. Since the access token represents a specific the part of the AS. Since the access token represents a specific
delegated access, the client instance needs only to use the token at delegated access, the client instance needs only to use the token at
its target RS. Following the profile example, the client instance its target RS. Following the profile example, the client instance
does not need to know the account identifier to get specific does not need to know the account identifier to get specific
attributes about the account represented by the token. attributes about the account represented by the token.
skipping to change at line 447 skipping to change at line 447
2.1.11. Client Instance 2.1.11. Client Instance
Access tokens are issued to a specific client instance by the AS. Access tokens are issued to a specific client instance by the AS.
The identity of this instance can be used by the RS to allow specific The identity of this instance can be used by the RS to allow specific
kinds of access or other attributes about the access token. For kinds of access or other attributes about the access token. For
example, an AS that binds all access tokens issued to a particular example, an AS that binds all access tokens issued to a particular
client instance to that client instance's most recent key rotation client instance to that client instance's most recent key rotation
would need to be able to look up the client instance in order to find would need to be able to look up the client instance in order to find
the key binding detail. the key binding detail.
This corresponds to the client_id claim of a [JWT] formatted token or This corresponds to the client_id claim in the payload of a JSON Web
the instance_id field of a token introspection response. Token [JWT] or the instance_id field of a token introspection
response.
The client is not normally informed of this information separately, The client is not normally informed of this information separately,
since a client instance can usually correctly assume that it is the since a client instance can usually correctly assume that it is the
client instance to which a token that it receives was issued. client instance to which a token that it receives was issued.
2.1.12. Label 2.1.12. Label
When multiple access tokens are requested or a client instance uses When multiple access tokens are requested or a client instance uses
token labels, the parties will need to keep track of which labels token labels, the parties will need to keep track of which labels
were applied to each individual token. Since labels can be reused were applied to each individual token. Since labels can be reused
skipping to change at line 537 skipping to change at line 538
structure, by using a special internal access right, or any other structure, by using a special internal access right, or any other
means at its disposal. Just like other access tokens in GNAP, the means at its disposal. Just like other access tokens in GNAP, the
contents of these AS-specific access tokens are opaque to the contents of these AS-specific access tokens are opaque to the
software presenting the token. Unlike other access tokens, the software presenting the token. Unlike other access tokens, the
contents of these AS-specific access tokens are also opaque to the contents of these AS-specific access tokens are also opaque to the
RS. RS.
The client instance is given continuation access tokens only as part The client instance is given continuation access tokens only as part
of the continue field of the grant response in Section 3.1 of [GNAP]. of the continue field of the grant response in Section 3.1 of [GNAP].
The client instance is given token management access tokens only as The client instance is given token management access tokens only as
part of the manage field of the grant response in Section 3.1.2 of part of the manage field of the grant response in Section 3.2.1 of
[GNAP]. The means by which the RS is given resource server [GNAP]. The means by which the RS is given resource server
management access tokens is out of scope of this specification, but management access tokens is out of scope of this specification, but
methods could include preconfiguration of the token value with the RS methods could include preconfiguration of the token value with the RS
software or granting the access token through a standard GNAP software or granting the access token through a standard GNAP
process. process.
For continuation access tokens and token management access tokens, a For continuation access tokens and token management access tokens, a
client instance MUST take steps to differentiate these special- client instance MUST take steps to differentiate these special-
purpose access tokens from access tokens used at one or more RSs. To purpose access tokens from access tokens used at one or more RSs. To
facilitate this, a client instance can store AS-specific access facilitate this, a client instance can store AS-specific access
skipping to change at line 765 skipping to change at line 766
3. The AS validates the access token value and the RS's request and 3. The AS validates the access token value and the RS's request and
returns the introspection response for the token. returns the introspection response for the token.
4. The RS fulfills the request from the client instance. 4. The RS fulfills the request from the client instance.
The RS signs the request with its own key and sends the value of the The RS signs the request with its own key and sends the value of the
access token in the body of the request as a JSON object with the access token in the body of the request as a JSON object with the
following members: following members:
access_token (string): REQUIRED. The access token value presented access_token (string): The access token value presented to the RS by
to the RS by the client instance. the client instance. REQUIRED.
proof (string): RECOMMENDED. The proofing method used by the client proof (string): The proofing method used by the client instance to
instance to bind the token to the RS request. The value MUST be bind the token to the RS request. The value MUST be registered in
registered in the "GNAP Key Proofing Methods" registry. the "GNAP Key Proofing Methods" registry. RECOMMENDED.
resource_server (string or object): REQUIRED. The identification resource_server (object/string): The identification used to
used to authenticate the resource server making this call, either authenticate the resource server making this call, either by value
by value or by reference as described in Section 3.2. or by reference as described in Section 3.2. REQUIRED.
access (array of strings/objects): OPTIONAL. The minimum access access (array of strings/objects): The minimum access rights
rights required to fulfill the request. This MUST be in the required to fulfill the request. This MUST be in the format
format described in Section 8 of [GNAP]. described in Section 8 of [GNAP]. OPTIONAL.
Additional fields are defined in the "GNAP Token Introspection Additional fields are defined in the "GNAP Token Introspection
Request" registry (Section 5.4). Request" registry (Section 5.4).
POST /introspect HTTP/1.1 POST /introspect HTTP/1.1
Host: server.example.com Host: server.example.com
Content-Type: application/json Content-Type: application/json
Signature-Input: sig1=... Signature-Input: sig1=...
Signature: sig1=... Signature: sig1=...
Digest: sha256=... Digest: sha256=...
skipping to change at line 824 skipping to change at line 825
* is appropriate for presentation at the identified RS, and * is appropriate for presentation at the identified RS, and
* is appropriate for the access indicated (if present). * is appropriate for the access indicated (if present).
The AS responds with a data structure describing the token's current The AS responds with a data structure describing the token's current
state and any information the RS would need to validate the token's state and any information the RS would need to validate the token's
presentation, such as its intended proofing mechanism and key presentation, such as its intended proofing mechanism and key
material. material.
active (boolean): REQUIRED. If true, the access token presented is active (boolean): If true, the access token presented is active, as
active, as defined above. If any of the criteria for an active defined above. If any of the criteria for an active token are not
token are not true, or if the AS is unable to make a determination true, or if the AS is unable to make a determination (such as the
(such as the token is not found), the value is set to false and token is not found), the value is set to false and other fields
other fields are omitted. are omitted. REQUIRED.
If the access token is active, additional fields from the single If the access token is active, additional fields from the single
access token response structure defined in Section 3.2.1 of [GNAP] access token response structure defined in Section 3.2.1 of [GNAP]
are included. In particular, these include the following: are included. In particular, these include the following:
access (array of strings/objects): REQUIRED. The access rights access (array of strings/objects): The access rights associated with
associated with this access token. This MUST be in the format this access token. This MUST be in the format described in
described in Section 8 of [GNAP]. This array MAY be filtered or Section 8 of [GNAP]. This array MAY be filtered or otherwise
otherwise limited for consumption by the identified RS, including limited for consumption by the identified RS, including being an
being an empty array, which indicates that the token has no empty array, which indicates that the token has no explicit access
explicit access rights that can be disclosed to the RS. rights that can be disclosed to the RS. REQUIRED.
key (object/string): REQUIRED if the token is bound. The key bound key (object/string): if the token is bound. The key bound to the
to the access token, to allow the RS to validate the signature of access token, to allow the RS to validate the signature of the
the request from the client instance. If the access token is a request from the client instance. If the access token is a bearer
bearer token, this MUST NOT be included. token, this MUST NOT be included. REQUIRED
flags (array of strings): OPTIONAL. The set of flags associated flags (array of strings): The set of flags associated with the
with the access token. access token. OPTIONAL.
exp (integer): OPTIONAL. The timestamp after which this token is no exp (integer): The timestamp after which this token is no longer
longer valid. Expressed as integer seconds from UNIX Epoch. valid. Expressed as integer seconds from UNIX Epoch. OPTIONAL.
iat (integer): OPTIONAL. The timestamp at which this token was iat (integer): The timestamp at which this token was issued by the
issued by the AS. Expressed as integer seconds from UNIX Epoch. AS. Expressed as integer seconds from UNIX Epoch. OPTIONAL.
nbf (integer): OPTIONAL. The timestamp before which this token is nbf (integer): The timestamp before which this token is not valid.
not valid. Expressed as integer seconds from UNIX Epoch. Expressed as integer seconds from UNIX Epoch. OPTIONAL.
aud (string or array of strings): OPTIONAL. Identifiers for the aud (string or array of strings): Identifiers for the resource
resource servers this token can be accepted at. servers this token can be accepted at. OPTIONAL.
sub (string): OPTIONAL. Identifier of the resource owner who sub (string): Identifier of the resource owner who authorized this
authorized this token. token. OPTIONAL.
iss (string): REQUIRED. Grant endpoint URL of the AS that issued iss (string): Grant endpoint URL of the AS that issued this token.
this token. REQUIRED.
instance_id (string): OPTIONAL. The instance identifier of the instance_id (string): The instance identifier of the client instance
client instance that the token was issued to. that the token was issued to. OPTIONAL.
Additional fields are defined in the "GNAP Token Introspection Additional fields are defined in the "GNAP Token Introspection
Response" registry (Section 5.5). Response" registry (Section 5.5).
The response MAY include any additional fields defined in an access The response MAY include any additional fields defined in an access
token response and MUST NOT include the access token value itself. token response and MUST NOT include the access token value itself.
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/json
Cache-Control: no-store Cache-Control: no-store
skipping to change at line 912 skipping to change at line 913
In all cases, the final determination of the response is at the In all cases, the final determination of the response is at the
discretion of the RS. discretion of the RS.
3.4. Registering a Resource Set 3.4. Registering a Resource Set
If the RS needs to, it can post a set of resources, as described in If the RS needs to, it can post a set of resources, as described in
Section 8 ("Resource Access Rights") of [GNAP], to the AS's resource Section 8 ("Resource Access Rights") of [GNAP], to the AS's resource
registration endpoint along with information about what the RS will registration endpoint along with information about what the RS will
need to validate the request. need to validate the request.
access (array of objects/strings): REQUIRED. The list of access access (array of objects/strings): The list of access rights
rights associated with the request in the format described in associated with the request in the format described in Section 8
Section 8 ("Resource Access Rights") of [GNAP]. ("Resource Access Rights") of [GNAP]. REQUIRED.
resource_server (string or object): REQUIRED. The identification resource_server (object/string): The identification used to
used to authenticate the resource server making this call, either authenticate the resource server making this call, either by value
by value or by reference as described in Section 3.2. or by reference as described in Section 3.2. REQUIRED.
token_formats_supported (array of strings): OPTIONAL. The token token_formats_supported (array of strings): The list of token
formats the RS is able to process for accessing the resource. The formats that the RS is able to process. The values in this array
values in this array MUST be registered in the "GNAP Token MUST be registered in the "GNAP Token Formats" registry per
Formats" registry per Section 5.3. If the field is omitted, the Section 5.3. If the field is omitted, the token format is at the
token format is at the discretion of the AS. If the AS does not discretion of the AS. If the AS does not support any of the
support any of the requested token formats, the AS MUST return an requested token formats, the AS MUST return an error to the RS.
error to the RS. OPTIONAL.
token_introspection_required (boolean): OPTIONAL. If present and token_introspection_required (boolean): If present and set to true,
set to true, the RS expects to make a token introspection request the RS expects to make a token introspection request as described
as described in Section 3.3. If absent or set to false, the RS in Section 3.3. If absent or set to false, the RS does not
does not anticipate needing to make an introspection request for anticipate needing to make an introspection request for tokens
tokens relating to this resource set. If the AS does not support relating to this resource set. If the AS does not support token
token introspection for this RS, the AS MUST return an error to introspection for this RS, the AS MUST return an error to the RS.
the RS. OPTIONAL.
Additional fields are defined in the "GNAP Resource Set Registration Additional fields are defined in the "GNAP Resource Set Registration
Request Parameters" registry (Section 5.6). Request Parameters" registry (Section 5.6).
The RS MUST identify itself with its own key and sign the request. The RS MUST identify itself with its own key and sign the request.
POST /resource HTTP/1.1 POST /resource HTTP/1.1
Host: server.example.com Host: server.example.com
Content-Type: application/json Content-Type: application/json
Signature-Input: sig1=... Signature-Input: sig1=...
skipping to change at line 975 skipping to change at line 976
"dolphin-metadata" "dolphin-metadata"
], ],
"resource_server": "7C7C4AZ9KHRS6X63AJAO" "resource_server": "7C7C4AZ9KHRS6X63AJAO"
} }
The AS responds with a reference appropriate to represent the The AS responds with a reference appropriate to represent the
resources list that the RS presented in its request as well as any resources list that the RS presented in its request as well as any
additional information the RS might need in future requests. additional information the RS might need in future requests.
resource_reference (string): REQUIRED. A single string representing resource_reference (string): A single string representing the list
the list of resources registered in the request. The RS MAY make of resources registered in the request. The RS MAY make this
this handle available to a client instance as part of a discovery handle available to a client instance as part of a discovery
response as described in Section 9.1 of [GNAP] or as documentation response as described in Section 9.1 of [GNAP] or as documentation
to client software developers. to client software developers. REQUIRED.
instance_id (string): OPTIONAL. An instance identifier that the RS instance_id (string): An instance identifier that the RS can use to
can use to refer to itself in future calls to the AS, in lieu of refer to itself in future calls to the AS, in lieu of sending its
sending its key by value. See Section 3.2. key by value. See Section 3.2. OPTIONAL.
introspection_endpoint (string): OPTIONAL. The introspection introspection_endpoint (string): The introspection endpoint of this
endpoint of this AS that is used to allow the RS to perform token AS that is used to allow the RS to perform token introspection.
introspection. See Section 3.3. See Section 3.3. OPTIONAL.
Additional fields are defined in the "GNAP Resource Set Registration Additional fields are defined in the "GNAP Resource Set Registration
Response Parameters" registry (Section 5.7). Response Parameters" registry (Section 5.7).
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/json
Cache-Control: no-store Cache-Control: no-store
{ {
"resource_reference": "FWWIKYBQ6U56NL1" "resource_reference": "FWWIKYBQ6U56NL1"
} }
If a resource was previously registered, the AS MAY return the same If a resource was previously registered, the AS MAY return the same
resource reference value as in previous responses. resource reference value as in previous responses.
If the registration fails, the AS returns an HTTP 400 (Bad Request) If the registration fails, the AS returns HTTP status code 400 (Bad
error to the RS, indicating that the registration was not successful. Request) to the RS, indicating that the registration was not
successful.
The client instance can then use the resource_reference value as a The client instance can then use the resource_reference value as a
string-type access reference as defined in Section 8.1 of [GNAP]. string-type access reference as defined in Section 8.1 of [GNAP].
This value MAY be combined with any other additional access rights This value MAY be combined with any other additional access rights
requested by the client instance. requested by the client instance.
{ {
"access_token": { "access_token": {
"access": [ "access": [
"FWWIKYBQ6U56NL1", "FWWIKYBQ6U56NL1",
skipping to change at line 1040 skipping to change at line 1042
}, },
"dolphin-metadata" "dolphin-metadata"
] ]
}, },
"client": "client-12351.bdxqf" "client": "client-12351.bdxqf"
} }
3.5. Error Responses 3.5. Error Responses
In the case of an error from the RS-facing API, the AS responds to In the case of an error from the RS-facing API, the AS responds to
the RS with an HTTP 400 (Bad Request) status code and a JSON object the RS with HTTP status code 400 (Bad Request) and a JSON object
consisting of a single error field, which is either an object or a consisting of a single error field, which is either an object or a
string. string.
When returned as a string, the error value is the error code: When returned as a string, the error value is the error code:
{ {
error: "invalid_access" error: "invalid_access"
} }
When returned as an object, the error object contains the following When returned as an object, the error object contains the following
skipping to change at line 1390 skipping to change at line 1392
The table below contains the initial contents of the "GNAP Resource The table below contains the initial contents of the "GNAP Resource
Set Registration Request Parameters" registry. Set Registration Request Parameters" registry.
+==============================+=================+=============+ +==============================+=================+=============+
| Name | Type | Reference | | Name | Type | Reference |
+==============================+=================+=============+ +==============================+=================+=============+
| access | array of | Section 3.4 | | access | array of | Section 3.4 |
| | strings/objects | of RFC 9767 | | | strings/objects | of RFC 9767 |
+------------------------------+-----------------+-------------+ +------------------------------+-----------------+-------------+
| resource_server | string or | Section 3.4 | | resource_server | object/string | Section 3.4 |
| | object | of RFC 9767 |
+------------------------------+-----------------+-------------+
| token_formats_supported | string | Section 3.4 |
| | | of RFC 9767 | | | | of RFC 9767 |
+------------------------------+-----------------+-------------+ +------------------------------+-----------------+-------------+
| token_formats_supported | array of | Section 3.4 |
| | strings | of RFC 9767 |
+------------------------------+-----------------+-------------+
| token_introspection_required | boolean | Section 3.4 | | token_introspection_required | boolean | Section 3.4 |
| | | of RFC 9767 | | | | of RFC 9767 |
+------------------------------+-----------------+-------------+ +------------------------------+-----------------+-------------+
Table 4: Initial Contents of the GNAP Resource Set Table 4: Initial Contents of the GNAP Resource Set
Registration Request Parameters Registry Registration Request Parameters Registry
5.7. GNAP Resource Set Registration Response Parameters 5.7. GNAP Resource Set Registration Response Parameters
This document defines a means to register a resource set for a GNAP This document defines a means to register a resource set for a GNAP
skipping to change at line 1665 skipping to change at line 1667
6.7. Token Format Considerations 6.7. Token Format Considerations
With formatted tokens, the format of the token is likely to have its With formatted tokens, the format of the token is likely to have its
own considerations, and the RS needs to follow any such own considerations, and the RS needs to follow any such
considerations during the token validation process. The application considerations during the token validation process. The application
and scope of these considerations is specific to the format and and scope of these considerations is specific to the format and
outside the scope of this specification. outside the scope of this specification.
6.8. Oversharing Token Contents 6.8. Oversharing Token Contents
The contents of the access token model divulge to the RS information The contents of the access token model divulge information about the
about the access token's context and rights. This is true whether access token's context and rights to the RS. This is true whether
the contents are parsed from the token itself or sent in an the contents are parsed from the token itself or sent in an
introspection response. introspection response.
It's likely that every RS does not need to know all details of the It's likely that every RS does not need to know all details of the
token model, especially in systems where a single access token is token model, especially in systems where a single access token is
usable across multiple RSs. An attacker could use this to gain usable across multiple RSs. An attacker could use this to gain
information about the larger system by compromising only one RS. By information about the larger system by compromising only one RS. By
limiting the information available to only that which is relevant to limiting the information available to only that which is relevant to
a specific RS, such as using a limited introspection reply as defined a specific RS, such as using a limited introspection reply as defined
in Section 3.3, a system can follow the principle of least disclosure in Section 3.3, a system can follow the principle of least disclosure
skipping to change at line 1721 skipping to change at line 1723
coming from the trusted AS and is being presented with a valid key, coming from the trusted AS and is being presented with a valid key,
the RS has no way of telling that the token was passed through an the RS has no way of telling that the token was passed through an
intermediary. intermediary.
To mitigate this, the RS can publish its association with the trusted To mitigate this, the RS can publish its association with the trusted
AS through either discovery or documentation. Therefore, a client AS through either discovery or documentation. Therefore, a client
properly following this association would only go directly to the properly following this association would only go directly to the
trusted RS for access tokens for the RS. trusted RS for access tokens for the RS.
Furthermore, limiting the use of bearer tokens and AS-provided keys Furthermore, limiting the use of bearer tokens and AS-provided keys
to only highly trusted ASs and limited circumstances prevents the to only highly trusted ASs in certain circumstances prevents the
attacker from being able to willingly exfiltrate their token to an attacker from being able to willingly exfiltrate their token to an
unsuspecting client instance. unsuspecting client instance.
6.11. Introspection of Token Keys 6.11. Introspection of Token Keys
The introspection response defined in Section 3.3 provides a means The introspection response defined in Section 3.3 provides a means
for the AS to tell the RS what key material is needed to validate the for the AS to tell the RS what key material is needed to validate the
key proof of the request. Capture of the introspection response can key proof of the request. Capture of the introspection response can
expose these security keys to an attacker. In the case of asymmetric expose these security keys to an attacker. In the case of asymmetric
cryptography, only the public key is exposed, and the token cannot be cryptography, only the public key is exposed, and the token cannot be
skipping to change at line 1879 skipping to change at line 1881
8.2. Informative References 8.2. Informative References
[BISCUIT] Biscuit, "Biscuit Authorization", [BISCUIT] Biscuit, "Biscuit Authorization",
<https://www.biscuitsec.org/>. <https://www.biscuitsec.org/>.
[MACAROON] Birgisson, A., Politz, J. G., Erlingsson, U., Taly, A., [MACAROON] Birgisson, A., Politz, J. G., Erlingsson, U., Taly, A.,
Vrable, M., and M. Lentczner, "Macaroons: Cookies with Vrable, M., and M. Lentczner, "Macaroons: Cookies with
Contextual Caveats for Decentralized Authorization in the Contextual Caveats for Decentralized Authorization in the
Cloud", NDSS Symposium 2014, DOI 10.14722/ndss.2014.23212, Cloud", NDSS Symposium 2014, DOI 10.14722/ndss.2014.23212,
February 2014, <https://research.google/pubs/pub41892/>. February 2014, <https://www.ndss-symposium.org/ndss2014/
ndss-2014-programme/macaroons-cookies-contextual-caveats-
decentralized-authorization-cloud/>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[ZCAPLD] Lemmer-Webber, C., Ed. and M. Sporny, Ed., "Authorization [ZCAPLD] Lemmer-Webber, C., Ed. and M. Sporny, Ed., "Authorization
Capabilities for Linked Data v0.3", W3C Draft Community Capabilities for Linked Data v0.3", W3C Draft Community
Group Report, January 2023, Group Report, January 2023,
<https://w3c-ccg.github.io/zcap-spec/>. <https://w3c-ccg.github.io/zcap-spec/>.
 End of changes. 40 change blocks. 
101 lines changed or deleted 105 lines changed or added

This html diff was produced by rfcdiff 1.48.