|
503 | 503 | No IANA actions are requested by this specification. |
504 | 504 | </t> |
505 | 505 | </section> |
| 506 | + |
| 507 | + <section title="Updates to RFC 7521" anchor="RFC7521Updates"> |
| 508 | + <t> |
| 509 | + This section updates |
| 510 | + "Assertion Framework for OAuth 2.0 Client Authentication and |
| 511 | + Authorization Grants" <xref target="RFC7521"/> |
| 512 | + to tighten its audience requirements to prevent attacks. |
| 513 | + </t> |
| 514 | + <t> |
| 515 | + The description of the Audience parameter |
| 516 | + in Section 5.1 of <xref target="RFC7521"/> (Assertion Metamodel) |
| 517 | + is replaced by: |
| 518 | + <list style="hanging"> |
| 519 | + |
| 520 | + <t hangText="Audience"> |
| 521 | + <vspace/> |
| 522 | + A value that identifies the party intended to process the assertion. |
| 523 | + The audience MUST contain the issuer identifier <xref target="RFC8414"/> |
| 524 | + of the authorization server as its sole value. |
| 525 | + Unlike the audience value specified |
| 526 | + in <xref target="RFC7521"/>, there MUST be no value other than |
| 527 | + the issuer identifier of the intended authorization server |
| 528 | + used as the audience of the assertion; |
| 529 | + this includes that the token endpoint URL of the authorization server |
| 530 | + MUST NOT be used as an audience value. |
| 531 | + </t> |
| 532 | + </list> |
| 533 | + </t> |
| 534 | + <t> |
| 535 | + The description of the Audience parameter |
| 536 | + in Section 5.2 of <xref target="RFC7521"/> (General Assertion Format and Processing Rules) |
| 537 | + is replaced by: |
| 538 | + <list style="symbols"> |
| 539 | + <t> |
| 540 | + The assertion MUST contain an audience that identifies the |
| 541 | + authorization server as the intended audience, |
| 542 | + with the issuer identifier <xref target="RFC8414"/> |
| 543 | + of the authorization server as its sole value. |
| 544 | + The authorization server MUST reject any assertion that does not |
| 545 | + contain its own issuer identifier as the sole audience value. |
| 546 | + </t> |
| 547 | + </list> |
| 548 | + </t> |
| 549 | + <t> |
| 550 | + In the list of agreements required by participants |
| 551 | + in Section 7 of <xref target="RFC7521"/> (Interoperability Considerations), |
| 552 | + "Audience identifiers" is removed from the list. |
| 553 | + </t> |
| 554 | + </section> |
| 555 | + |
506 | 556 | </middle> |
507 | 557 |
|
508 | 558 | <back> |
|
515 | 565 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7159.xml"/> |
516 | 566 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7521.xml"/> |
517 | 567 | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> |
| 568 | + <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8414.xml"/> |
518 | 569 |
|
519 | 570 | <!-- Reference from https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7518.xml with change to anchor="JWA" --> |
520 | 571 |
|
|
617 | 668 | removing the IANA actions already performed, |
618 | 669 | and adding the Document History section. |
619 | 670 | </t> |
| 671 | + <t> |
| 672 | + Update audience requirements in |
| 673 | + "Assertion Framework for OAuth 2.0 Client Authentication and |
| 674 | + Authorization Grants" <xref target="RFC7521"/>. |
| 675 | + </t> |
620 | 676 | </list> |
621 | 677 | </t> |
622 | 678 |
|
|
0 commit comments