[OpenID-Specs-eKYC-IDA] Issue #1294: [IDA] Audience of Access Tokens for External Attachments (openid/ekyc-ida)

[Takahiko Kawasaki]

New issue 1294: [IDA] Audience of Access Tokens for External Attachments
https://bitbucket.org/openid/ekyc-ida/issues/1294/ida-audience-of-access-tokens-for-external

Takahiko Kawasaki:

Proposal. How about setting `"url"` as audience of the corresponding access token for the external attachment as if the `resource` request parameter \(which is defined in [RFC 8707 Resource Indicators for OAuth 2.0](https://www.rfc-editor.org/rfc/rfc8707.html)\) were used for the access token?

If the resource server hosting contents of external attachments is sure that a presented access token contains the url of the content as audience, the resource server can check whether the audience of the access token matches the URL and can reject the resource access when they do not match. I think that this behavior is what RFC 8707 wants to achieve and an ideal use case of access token audience.

Although the third implementer’s draft of OIDC4IDA states as follows:

> If the `access_token` element is not available, RPs MUST use the Access Token issued by the OP in the Token response and when requesting the attachment the RP MUST use the same method as when accessing the UserInfo endpoint.

the resource server cannot implement the ideal behavior described above with the access token issued from the token endpoint. Single-purpose access token \(which can be used only for accessing the content of one external attachment\) is better from security perspective, and it might be good to mention it in the specification.