Clarify need to validate the signature on signed subject tokens #253
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -566,25 +566,19 @@ A requester MAY use an unsigned JSON object as a `subject_token` value. In that | |
| The unsigned JSON object MAY contain other fields, and the Txn-Token Service MAY consider them when generating the Txn-Token. | ||
|
|
||
| ## Txn-Token Request Processing | ||
| When the Transaction Token Service receives a Txn-Token Request it: | ||
|
|
||
| * MUST validate the requesting workload client authentication and determine if that workload is authorized to obtain the Txn-Tokens with the requested values. The authorization policy for determining such issuance is out of scope for this specification. | ||
| * Next, the Transaction Token Service MUST validate the `subject_token`, including verifying the signature, if it is signed. | ||
| * The Txn-Token Service determines the value to specify as the `sub` of the Txn-Token and MUST ensure the `sub` value is unique within the Trust Domain defined by the `aud` claim. | ||
|
Collaborator
There was a problem hiding this comment. If workloads are going to be obtaining transaction tokens, and
Collaborator
Author
There was a problem hiding this comment. @gffletch - it is up to the transaction token service to determine the "sub" claim. The way in which that is interpreted is domain specific. |
||
| * The Transaction Token Service MUST set the `iat` claim to the time of issuance of the Txn-Token. | ||
| * The Transaction Token Service MUST set the `aud` claim to an identifier representing the Trust Domain of the Transaction Token Service. If the Transaction Token Service supports multiple Trust Domains, then it MUST determine the correct `aud` value for this request. | ||
| * The Transaction Token Service MUST set the `exp` claim to the expiry time of the Txn-Token. The Txn-Token Service MAY consider any `exp` value present in the `subject_token` parameter of the Txn-Token Request in determining the `exp` value of the resulting Txn-Token. | ||
| * The Transaction Token Service MUST set the `txn` claim to a unique ID specific to this transaction. | ||
| * The Transaction Token Service MAY set the `iss` claim of the Txn-Token to a value defining the entity that signed the Txn-Token. This claim MUST be omitted if not set. | ||
| * The Transaction Token Service MUST evaluate the value specified in the `scope` parameter of the request to determine the `purp` claim of the issued Txn-Token. | ||
PieterKas marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| * If a `request_context` parameter is present in the Txn-Token Request, the data SHOULD be added to the `rctx` object of the Txn-Token. In addition, the Transaction Token Service SHOULD add the authenticated requesting workload identifier in the `rctx` object as the `req_wl` claim. | ||
|
Collaborator
There was a problem hiding this comment. Is adding the requesting workload a SHOULD because we don't want to be too prescriptive? My preference would be to make this a MUST.
Collaborator
Author
Collaborator
There was a problem hiding this comment. I had a different opinion of the My logic is that the requester may send it a number of different things in the Thoughts?
Collaborator
Author
There was a problem hiding this comment. @tulshi, @gffletch This PR was about making it clear that the signature should be verified - the rest was formatting... However, if we want to discuss rctx content (which is not the subject of this PR, but clearly a valid thing to discuss), perhaps we can merge this and open a separate issue and discuss request_context and tctx there instead? My preference is to contain the PR to the issue it was meant to address (clarifying that the signatture needs to be verified). |
||
| * If a `request_details` parameter is present in the Txn-Token Request, then the Transaction Token Service SHOULD propagate the data from the `request_details` object into the claims in the `tctx` object as authorized by the Transaction Token Service authorization policy for the requesting client. | ||
|
|
||
| The Transaction Token Service MAY provide additional processing and verification that is outside the scope of this specification. | ||
|
|
||
|
|
@@ -797,6 +791,7 @@ The authors would like to thank the contributors and the OAuth working group mem | |
| * Remove definition of Authorization Context [Be more specific on Authorization Context](https://github.com/oauth-wg/oauth-transaction-tokens/issues/192) | ||
| * Clarify text on use of empty parameter: https://github.com/oauth-wg/oauth-transaction-tokens/issues/235 | ||
| * Clarify that workloads should ensure it is communicating with a legitimate instance of a transaction token service (https://github.com/oauth-wg/oauth-transaction-tokens/issues/233) | ||
| * Clarify need to validate signature on subject_token if it is signed. | ||
| * Clarify role of transaction tokens in call chain (https://github.com/oauth-wg/oauth-transaction-tokens/issues/203) | ||
| * Remove exp field from unsigend token (https://github.com/oauth-wg/oauth-transaction-tokens/issues/201) | ||
|
|
||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.