Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Terminology: "relying party" vs. "client" #169

Open
SECtim opened this issue Feb 28, 2024 · 3 comments
Open

Terminology: "relying party" vs. "client" #169

SECtim opened this issue Feb 28, 2024 · 3 comments
Labels
editorial This issue does not affect existing implementations

Comments

@SECtim
Copy link

SECtim commented Feb 28, 2024

In some places, the term "relying party" is used instead of "client":

This discloses the sensitive credentials to the client. If the
relying party is malicious, it can use the credentials to impersonate
the user at the AS.

#### Issue scoped bearer tokens
Authorization servers SHOULD issue bearer tokens
that contain an audience restriction, scoping their use to the
intended relying party or set of relying parties.

@aaronpk aaronpk added the editorial This issue does not affect existing implementations label May 11, 2024
@aaronpk
Copy link
Member

aaronpk commented Nov 15, 2024

@dickhardt this sentence is from RFC6750, but the terminology seems to conflict with modern uses of "audience restricted access tokens". Do you remember what this was intended to mean?

Issue scoped bearer tokens: Token servers SHOULD issue bearer tokens
that contain an audience restriction, scoping their use to the
intended relying party or set of relying parties.

aaronpk added a commit that referenced this issue Nov 15, 2024
@dickhardt
Copy link
Collaborator

In practice this is the 'aud' claim in a JWT -- but since 6750 does not specify a token format, this is guidance that the token should indicate who the audience is

The phrase "issue scoped bearer tokens" is confusing as it is conflating scopes with audience

Can you point me to what you mean by 'modern uses of "audience restricted access tokens"'

@dickhardt
Copy link
Collaborator

Also, In the case of 6750 as this is an access token, replying party is referring to the resource server, not the client.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
editorial This issue does not affect existing implementations
Projects
None yet
Development

No branches or pull requests

3 participants