Add token requirement for intented audience #2363
Comments
|
If this requirement will be added as general requirement for tokens, we need to recheck OAuth-specific requirement:
|
|
To have an general requirement, we should not limit it to access tokens. It is required to check the aud for other tokens as well, at the moment the proposal seems unnecessary limitation. I think the outcome is part of spliting 3.5.6 to requirements "per task" #1967 (comment). |
|
Are the title and proposal in conflict? scope vs audience? |
|
Yes, a better title would be "Add requirement to mitigate the risk of accepting tokens that was not intended to be valid for a particular service" and rewrite in a more general way, maybe like this
|
|
I think the |
|
Proposed refinement:
|
|
Actually, thinking about this further, and in relation to #1967, could we not also wrap up 'iss' into this as a service could have a relationship with an issuer such that all tokens from the issuer are valid for the service? |
(If I understand what you are saying,) that should be frowned upon in general because it makes way for token abuse (from one service to another, etc.). The |
elarlang
changed the title
|
'iss' is a separate topic - who made ('iss') vs for what service it is made ('aud'). Problem to solve - tokens from one issuer made for different services must not be cross-usable for each other (if it not clearly intended so by the 'aud' definition). Based on the latest proposal #2363 (comment) Proposed change:
For both cases, I think the word "service" may be misinterpreted, especially if the context is not too well known.
|
|
If we are happy with the general requirement, it is ready for PR. We have similar requirement for OAuth scenario, this deduplication will be handled in #2182 (comment). |
Should we add a new general requirement for "intended usage"? We also have this in 51.1.1 where it is OIDC/OAuth specific for different token types (e g OIDC ID Tokens), but I think it is good to have a general requirement for "intended usage" since it is not just important for OAuth/OIDC flows. |
elarlang
added
1) Discussion ongoing
Please one problem per issue, I opened a separate issue for that: #2379 |
|
The wording of the current proposition is not correct: we don't want to "verify that the token is intended". Instead, we want to "verify that the service checks that the token is intended". So it should looks somewhat like:
|
|
I agree with the problem statement, but not with the new proposal (we need to have general requirement into V3.5). Updated proposal:
|
|
If no further comments and feedback, I'll PR it tomorrow. |
elarlang
added
6) PR awaiting review
and removed
4) proposal for review
|
My proposal
The first sentence was a little clunky using the word token 3 times. I have tried to make it smoother, I don't think it changes the meaning of the first sentence when supported by the 2nd sentence. |
elarlang
added
4a) Waiting for another
|
If would like to get the "audience" back (as it was proposed and explained in #2363 (comment)) - it is called "audience restriction" and it makes it clearer why the requirement exists and what is the main goal. Waiting for #2182 to be in sync. |
|
So how about:
|
|
I'm going to use just "(audience)". "Usually defined" feels like some fact based on stats, Using |
Add access token requirement to mitigate the risk of accepting tokens that was not intended to be valid for a particular service (API).
This is part of "cleaning up 3.5" see #1917 (comment)
The text was updated successfully, but these errors were encountered: