[IDA] Audience of Access Tokens for External Attachments
Issue #1294
resolved
Proposal. How about setting "url" as audience of the corresponding access token for the external attachment as if the resource request parameter (which is defined in RFC 8707 Resource Indicators for OAuth 2.0) were used for the access token?
If the resource server hosting contents of external attachments is sure that a presented access token contains the url of the content as audience, the resource server can check whether the audience of the access token matches the URL and can reject the resource access when they do not match. I think that this behavior is what RFC 8707 wants to achieve and an ideal use case of access token audience.
Although the third implementer’s draft of OIDC4IDA states as follows:
If the
access_tokenelement is not available, RPs MUST use the Access Token issued by the OP in the Token response and when requesting the attachment the RP MUST use the same method as when accessing the UserInfo endpoint.
the resource server cannot implement the ideal behavior described above with the access token issued from the token endpoint. Single-purpose access token (which can be used only for accessing the content of one external attachment) is better from security perspective, and it might be good to mention it in the specification.
Comments (6)
-
-
- changed status to open
-
-
assigned issue to
Takahiko Kawasaki
-
assigned issue to
-
reporter
Created PR 112 for this issue.
-
reporter
- changed component to Core eKYC&IDA
-
reporter
- changed status to resolved
Resolved by PR #112
- Log in to comment
I like the binding but there may be some complications with deployments that use edges to rewrite the url so that an “exact match” check with the “aud” claim would fail.
It is RECOMMENDED that access tokens for external attachments have a binding to the specific resource being requested so that the access token may not be used to retrieve additional external attachments or resources.