draft-ietf-oauth-resource-indicators-01.txt   draft-ietf-oauth-resource-indicators-02.txt 
OAuth Working Group B. Campbell OAuth Working Group B. Campbell
Internet-Draft Ping Identity Internet-Draft Ping Identity
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: April 22, 2019 Yubico Expires: August 1, 2019 Yubico
H. Tschofenig H. Tschofenig
Arm Limited Arm Limited
October 19, 2018 January 28, 2019
Resource Indicators for OAuth 2.0 Resource Indicators for OAuth 2.0
draft-ietf-oauth-resource-indicators-01 draft-ietf-oauth-resource-indicators-02
Abstract Abstract
An extension to the OAuth 2.0 Authorization Framework defining An extension to the OAuth 2.0 Authorization Framework defining
request parameters that enable a client to explicitly signal to an request parameters that enable a client to explicitly signal to an
authorization server about the location of the protected resource(s) authorization server about the identity of the protected resource(s)
to which it is requesting access. to which it is requesting access.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 22, 2019. This Internet-Draft will expire on August 1, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 19 skipping to change at page 3, line 19
to the given resource such that the token cannot be used successfully to the given resource such that the token cannot be used successfully
at other resources. at other resources.
OAuth scope, from Section 3.3 of [RFC6749], is sometimes overloaded OAuth scope, from Section 3.3 of [RFC6749], is sometimes overloaded
to convey the location or identity of the protected resource, to convey the location or identity of the protected resource,
however, doing so isn't always feasible or desirable. Scope is however, doing so isn't always feasible or desirable. Scope is
typically about what access is being requested rather than where that typically about what access is being requested rather than where that
access will be redeemed (e.g. "email", "admin:org", "user_photos", access will be redeemed (e.g. "email", "admin:org", "user_photos",
"channels:read", and "channels:write" are a small sample of scope "channels:read", and "channels:write" are a small sample of scope
values in use in the wild that convey only the type of access and not values in use in the wild that convey only the type of access and not
the location). the location or identity).
In some circumstances and for some deployments, a means for the In some circumstances and for some deployments, a means for the
client to signal to the authorization server where it intends to use client to signal to the authorization server where it intends to use
the access token it's requesting is important and useful. A number the access token it's requesting is important and useful. A number
of implementations and deployments of OAuth 2.0 have already employed of implementations and deployments of OAuth 2.0 have already employed
proprietary parameters toward that end. Going forward, this proprietary parameters toward that end. Going forward, this
specification aspires to provide a standardized and interoperable specification aspires to provide a standardized and interoperable
alternative to the proprietary approaches. alternative to the proprietary approaches.
1.1. Requirements Notation and Conventions 1.1. Requirements Notation and Conventions
skipping to change at page 4, line 6 skipping to change at page 4, line 6
"client" defined by The OAuth 2.0 Authorization Framework [RFC6749]. "client" defined by The OAuth 2.0 Authorization Framework [RFC6749].
2. Resource Parameter 2. Resource Parameter
In requests to the authorization server, a client MAY indicate the In requests to the authorization server, a client MAY indicate the
protected resource (a.k.a. resource server, application, API, etc.) protected resource (a.k.a. resource server, application, API, etc.)
to which it is requesting access by including the following parameter to which it is requesting access by including the following parameter
in the request. in the request.
resource resource
Indicates the location of the target service or resource where Indicates the target service or resource at which access is being
access is being requested. Its value MUST be an absolute URI, as requested. Its value MUST be an absolute URI, as specified by
specified by Section 4.3 of [RFC3986], which MAY include a query Section 4.3 of [RFC3986], which MAY include a query component but
component but MUST NOT include a fragment component. Multiple MUST NOT include a fragment component. The "resource" parameter
"resource" parameters MAY be used to indicate that the requested URI value is an identifier representing the identity of the
token is intended to be used at multiple resources. resource, which MAY be a locator that corresponds to a network
addressable location where the target resource is hosted.
Multiple "resource" parameters MAY be used to indicate that the
requested token is intended to be used at multiple resources.
The parameter value indicates the location of a protected resource, The parameter value identifies a resource to which the client is
typically as an https URL, where the client is requesting access. requesting access. The parameter can carry the location of a
This enables the authorization server to apply policy as appropriate protected resource, typically as an https URL, or a more abstract
for the resource, such as determining the type and content of tokens identifier. This enables the authorization server to apply policy as
to be issued, if and how tokens are encrypted, and applying appropriate for the resource, such as determining the type and
appropriate audience restrictions. content of tokens to be issued, if and how tokens are encrypted, and
applying appropriate audience restrictions.
The client SHOULD provide the most specific URI that it can for the The client SHOULD provide the most specific URI that it can for the
complete API or set of resources it intends to access. In practice a complete API or set of resources it intends to access. In practice a
client will know a base URI for the application or resource that it client will know a base URI for the application or resource that it
interacts with, which is appropriate to use as the value of the interacts with, which is appropriate to use as the value of the
"resource" parameter. The client SHOULD use the base URI of the API "resource" parameter. The client SHOULD use the base URI of the API
as the "resource" parameter value unless specific knowledge of the as the "resource" parameter value unless specific knowledge of the
resource dictates otherwise. For example, the value resource dictates otherwise. For example, the value
"https://api.example.com/" would be used for a resource that is the "https://api.example.com/" would be used for a resource that is the
exclusive application on that host, however, if the resource is one exclusive application on that host, however, if the resource is one
skipping to change at page 5, line 11 skipping to change at page 5, line 16
[RFC7519] with the "aud" claim and the top-level member of the same [RFC7519] with the "aud" claim and the top-level member of the same
name provides the audience restriction information in a Token name provides the audience restriction information in a Token
Introspection [RFC7662] response. The authorization server may use Introspection [RFC7662] response. The authorization server may use
the exact "resource" value as the audience or it may map from that the exact "resource" value as the audience or it may map from that
value to a more general URI or abstract identifier for the given value to a more general URI or abstract identifier for the given
resource. resource.
2.1. Authorization Request 2.1. Authorization Request
When the "resource" parameter is used in an authorization request to When the "resource" parameter is used in an authorization request to
the authorization endpoint, it indicates the location of the the authorization endpoint, it indicates the identity of the
protected resource(s) to which access is being requested. When an protected resource(s) to which access is being requested. When an
access token will be returned directly from the authorization access token will be returned directly from the authorization
endpoint via the implicit flow (Section 4.2 of OAuth 2.0 [RFC6749]), endpoint via the implicit flow (Section 4.2 of OAuth 2.0 [RFC6749]),
the requested resource is applicable to that access token. In the the requested resource is applicable to that access token. In the
code flow (Section 4.1 of OAuth 2.0 [RFC6749]) where an an code flow (Section 4.1 of OAuth 2.0 [RFC6749]) where an an
intermediate representation of the authorization grant (the intermediate representation of the authorization grant (the
authorization code) is returned from the authorization endpoint, the authorization code) is returned from the authorization endpoint, the
requested resource is applicable to the full authorization grant. requested resource is applicable to the full authorization grant.
For authorization requests sent as a JWTs, such as when using JWT For authorization requests sent as a JWTs, such as when using JWT
skipping to change at page 6, line 34 skipping to change at page 6, line 36
&scope=calendar%20contacts &scope=calendar%20contacts
&resource=https%3A%2F%2Fcal.example.com%2F &resource=https%3A%2F%2Fcal.example.com%2F
&resource=https%3A%2F%2Fcontacts.example.com%2F HTTP/1.1 &resource=https%3A%2F%2Fcontacts.example.com%2F HTTP/1.1
Host: authorization-server.example.com Host: authorization-server.example.com
Figure 2: Code Flow Authorization Request Figure 2: Code Flow Authorization Request
2.2. Access Token Request 2.2. Access Token Request
When the "resource" parameter is used on an access token request made When the "resource" parameter is used on an access token request made
to the token endpoint, for all grant types, it indicates the location to the token endpoint, for all grant types, it indicates the target
of the target service or protected resource where the client intends service or protected resource where the client intends to use the
to use the requested access token. requested access token.
The resource value(s) that are acceptable to an authorization server The resource value(s) that are acceptable to an authorization server
in fulfilling an access token request are at its sole discretion in fulfilling an access token request are at its sole discretion
based on local policy or configuration. In the case of a based on local policy or configuration. In the case of a
"refresh_token" or "authorization_code" grant type request, such "refresh_token" or "authorization_code" grant type request, such
policy may limit the acceptable resources to those that were policy may limit the acceptable resources to those that were
originally granted by the resource owner or a subset thereof. In the originally granted by the resource owner or a subset thereof. In the
"authorization_code" case where the requested resources are a subset "authorization_code" case where the requested resources are a subset
of the set of resources originally granted, the authorization server of the set of resources originally granted, the authorization server
will issue an access token based on that subset of requested will issue an access token based on that subset of requested
skipping to change at page 10, line 5 skipping to change at page 9, line 50
Although multiple occurrences of the "resource" parameter may be Although multiple occurrences of the "resource" parameter may be
included in a request, using only a single "resource" parameter is included in a request, using only a single "resource" parameter is
encouraged. A bearer token that has multiple intended recipients encouraged. A bearer token that has multiple intended recipients
(audiences) can be used by any one of those recipients at any other. (audiences) can be used by any one of those recipients at any other.
Thus, a high degree of trust between the involved parties is needed Thus, a high degree of trust between the involved parties is needed
when using access tokens with multiple audiences. Furthermore an when using access tokens with multiple audiences. Furthermore an
authorization server may be unwilling or unable to fulfill a token authorization server may be unwilling or unable to fulfill a token
request with multiple resources. request with multiple resources.
Whenever feasible, the "resource" parameter should correspond to the
network addressable location of the protected resource. This makes
it possible for the client to validate that the resource being
requested controls the corresponding network location, reducing the
risk of malicious endpoints obtaining tokens meant for other
resources. If the "resource" parameter contains an abstract
identifier, it is the client's responsibility to validate out of band
that any network endpoint to which tokens are sent are the intended
audience for that identifier.
4. IANA Considerations 4. IANA Considerations
4.1. OAuth Parameters Registration 4.1. OAuth Parameters Registration
This specification registers the following value in the IANA "OAuth This specification registers the following value in the IANA "OAuth
Parameters" registry [IANA.OAuth.Parameters] established by Parameters" registry [IANA.OAuth.Parameters] established by
[RFC6749]. [RFC6749].
o Parameter name: resource o Parameter name: resource
o Parameter usage location: authorization request, token request o Parameter usage location: authorization request, token request
skipping to change at page 11, line 48 skipping to change at page 12, line 4
[RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", [RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection",
RFC 7662, DOI 10.17487/RFC7662, October 2015, RFC 7662, DOI 10.17487/RFC7662, October 2015,
<https://www.rfc-editor.org/info/rfc7662>. <https://www.rfc-editor.org/info/rfc7662>.
Appendix A. Acknowledgements Appendix A. Acknowledgements
This specification was developed within the OAuth Working Group under This specification was developed within the OAuth Working Group under
the chairmanship of Hannes Tschofenig and Rifaat Shekh-Yusef with the chairmanship of Hannes Tschofenig and Rifaat Shekh-Yusef with
Eric Rescorla and Benjamin Kaduk serving as Security Area Directors. Eric Rescorla and Benjamin Kaduk serving as Security Area Directors.
Additionally, the following individuals contributed ideas, feedback, Additionally, the following individuals contributed ideas, feedback,
and wording that helped shape this specification: and wording that helped shape this specification:
Sergey Beryozkin, William Denniss, Vladimir Dzhuvinov, George Vittorio Bertocci, Sergey Beryozkin, William Denniss, Vladimir
Fletcher, Dick Hardt, Phil Hunt, Michael Jones, Torsten Lodderstedt, Dzhuvinov, George Fletcher, Dick Hardt, Phil Hunt, Michael Jones,
Anthony Nadalin, Justin Richer, Nat Sakimura, Filip Skokan, and Hans Torsten Lodderstedt, Anthony Nadalin, Justin Richer, Nat Sakimura,
Zandbelt. Filip Skokan, and Hans Zandbelt.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
draft-ietf-oauth-resource-indicators-02
o Clarify that the value of the "resource" parameter is a URI which
can be an abstract identifier for the target resource and doesn't
necessarily have to correspond to a network addressable location.
draft-ietf-oauth-resource-indicators-01 draft-ietf-oauth-resource-indicators-01
o Significant rework of the main section of the document attempting o Significant rework of the main section of the document attempting
to clarify a number of things that came up at, around and after to clarify a number of things that came up at, around and after
IETF 102 and the call for adoption. IETF 102 and the call for adoption.
o Change the "invalid_resource" error to "invalid_target" to align o Change the "invalid_resource" error to "invalid_target" to align
with draft-ietf-oauth-token-exchange, which has some overlap in with draft-ietf-oauth-token-exchange, which has some overlap in
functionality. functionality.
o Allow the "resource" parameter value to have a query component o Allow the "resource" parameter value to have a query component
(aligning with draft-ietf-oauth-token-exchange). (aligning with draft-ietf-oauth-token-exchange).
 End of changes. 15 change blocks. 
27 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/