
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 14 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

span.apple-style-span

        {mso-style-name:apple-style-span;}

span.EmailStyle18

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-family:"Calibri","sans-serif";}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">></span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> I am ok with RECOMMENDing that these audience

 to be encoded  in the access_token itself, but would like to let the implementors have  choices on it<o:p></o:p></span></p>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"><o:p> </o:p></span></p>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Not sure what you mean by encoded in the access_token, I assume you mean that there is a aud_restriction claim in the token, not that

 the token is encoded somehow that the receiving parties can decode?</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> openid-specs-ab-bounces@lists.openid.net [mailto:openid-specs-ab-bounces@lists.openid.net]

<b>On Behalf Of </b>Nat Sakimura<br>

<b>Sent:</b> Thursday, November 10, 2011 5:04 PM<br>

<b>To:</b> openid-specs-ab@lists.openid.net<br>

<b>Subject:</b> [Openid-specs-ab] Audience restriction of access_token/resource ep response in OpenID Connect<o:p></o:p></span></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal"><span class="apple-style-span"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222;background:white">Hi. </span></span><o:p></o:p></p>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Currently, as it turns out in OpenID Connect, the way to audience restrict <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">the response of a resource endpoint is to encrypt the response <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">using the key of the intended client. The server has to keep track of <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">to whom the access_token was issued, i.e., client audience restriction, <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">and use the registration information of that client to find out the relevant key. <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">By doing so, even if the request comes from a rogue party who phished the <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">legitimate client, the rogue party cannot read the response, so it is secure. <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">As to the resource endpoint audience restriction is concerned, <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">it is done implicitly in the sense that as the access_token is opaque, <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">only the intended endpoint can actually interprete and validate it. <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">This is how the resource endpoint audience restriction is done <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">in OAuth 2.0 as I understand. <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">As it is written right now, how to record both client and resource endpoint <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">audience restriction is an implementation detail. <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">I think it should remain implementation detail, but <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">it is worthwhile to note that somehow the audience restriction MUST be done. <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">I am ok with RECOMMENDing that these audience to be encoded <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">in the access_token itself, but would like to let the implementors have <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">choices on it. <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<p class="MsoNormal">-- <br>

Nat Sakimura (=nat)<o:p></o:p></p>

<div>

<p class="MsoNormal">Chairman, OpenID Foundation<br>

<a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>

@_nat_en<o:p></o:p></p>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

</body>

</html>