From ec6c176dc31c3a3225b297bea024bb45505e2476 Mon Sep 17 00:00:00 2001 From: PieterKas <90690777+PieterKas@users.noreply.github.com> Date: Fri, 27 Sep 2024 17:03:17 +0100 Subject: [PATCH 1/2] Additional detail on 'aud' claim See issue #134 --- draft-ietf-oauth-transaction-tokens.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-ietf-oauth-transaction-tokens.md b/draft-ietf-oauth-transaction-tokens.md index d18e95d..e655f91 100644 --- a/draft-ietf-oauth-transaction-tokens.md +++ b/draft-ietf-oauth-transaction-tokens.md @@ -342,7 +342,7 @@ JWT claims as well as defines new claims. These claims are described below: : REQUIRED The issued at time of the Txn-Token as defined in {{RFC7519}} `aud`: -: REQUIRED This claim, defined in {{RFC7519}}, identifies the trust domain in which the Txn-Token is valid. This identifier MUST uniquely identify the trust domain. +: REQUIRED This claim, defined in {{RFC7519}}, identifies the trust domain in which the Txn-Token is valid. This identifier MUST uniquely identify the trust domain to prevent the Txn-Token from being accepted outside it's current Trust Domain. `exp`: : REQUIRED Expiry time of the Txn-Token as defined in {{RFC7519}} @@ -451,8 +451,8 @@ A workload requesting a Txn-Token must provide the Transaction Token Service wit To request a Txn-Token the workload invokes the OAuth 2.0 {{RFC6749}} token endpoint with the following parameters: -* `grant_type` REQUIRED. The value MUST be set to `urn:ietf:params:oauth:grant-type:token-exchange` -* `audience` REQUIRED. The value MUST be set to the Trust Domain name +* `grant_type` REQUIRED. The value MUST be set to `urn:ietf:params:oauth:grant-type:token-exchange`. +* `audience` REQUIRED. The value of the aud claim MUST remain unchanged in a replacement Txn-Token to prevent the Txn-Token from being accepted outside it's current Trust Domain. * `scope` REQUIRED. A space-delimited list of case-sensitive strings where the value(s) MUST represent the specific purpose or intent of the transaction. * `requested_token_type` REQUIRED. The value MUST be `urn:ietf:params:oauth:token-type:txn_token` * `subject_token` REQUIRED. The value MUST represent the subject of the transaction. This MAY be: From 490abac173ad4e681a745fb3be91e58cf9fb562c Mon Sep 17 00:00:00 2001 From: PieterKas <90690777+PieterKas@users.noreply.github.com> Date: Fri, 4 Oct 2024 19:57:55 +0100 Subject: [PATCH 2/2] Update draft-ietf-oauth-transaction-tokens.md --- draft-ietf-oauth-transaction-tokens.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-oauth-transaction-tokens.md b/draft-ietf-oauth-transaction-tokens.md index e655f91..a908ee1 100644 --- a/draft-ietf-oauth-transaction-tokens.md +++ b/draft-ietf-oauth-transaction-tokens.md @@ -342,7 +342,7 @@ JWT claims as well as defines new claims. These claims are described below: : REQUIRED The issued at time of the Txn-Token as defined in {{RFC7519}} `aud`: -: REQUIRED This claim, defined in {{RFC7519}}, identifies the trust domain in which the Txn-Token is valid. This identifier MUST uniquely identify the trust domain to prevent the Txn-Token from being accepted outside it's current Trust Domain. +: REQUIRED This claim, defined in {{RFC7519}}, identifies the trust domain in which the Txn-Token is valid. This identifier MUST uniquely identify the trust domain to prevent the Txn-Token from being accepted outside it's current trust domain. `exp`: : REQUIRED Expiry time of the Txn-Token as defined in {{RFC7519}} @@ -452,7 +452,7 @@ A workload requesting a Txn-Token must provide the Transaction Token Service wit To request a Txn-Token the workload invokes the OAuth 2.0 {{RFC6749}} token endpoint with the following parameters: * `grant_type` REQUIRED. The value MUST be set to `urn:ietf:params:oauth:grant-type:token-exchange`. -* `audience` REQUIRED. The value of the aud claim MUST remain unchanged in a replacement Txn-Token to prevent the Txn-Token from being accepted outside it's current Trust Domain. +* `audience` REQUIRED. The value MUST be set to the trust domain name. * `scope` REQUIRED. A space-delimited list of case-sensitive strings where the value(s) MUST represent the specific purpose or intent of the transaction. * `requested_token_type` REQUIRED. The value MUST be `urn:ietf:params:oauth:token-type:txn_token` * `subject_token` REQUIRED. The value MUST represent the subject of the transaction. This MAY be: