audience REQUIRED for just one trust domain?
Closed this issue · 4 comments
This issue is somewhat related to the aud claim comment I made earlier via mail to the authors.
The spec states that audience parameter is REQUIRED in the Txn-Token request. It contains the trust domain. To my understanding, every trust domain has a single (logical) Txn-Service. A Txn-Service is usually configured to only issue Txn-Tokens to one and only one trust domain. Also the authenticating clients which the Txn-Service accepts in incoming requests are part of that trust domain. After all, they have been registered within that trust domain. It might be possible that the Txn-Service is used in multiple trust domains. In those scenarios I fully agree that the audience parameter is REQUIRED. My guess is, though, that the most deployed setup will incorporate a single trust domain.
So, with the move to bind the sub claim to the trust domain identified by the aud claim, I believe we should keep it to be required. I also think that there will be deployments with multiple Transaction Token Services (each using their own unique signing keys) that service a single trust domain.
What is the benefit of making the aud claim optional?
What is the benefit of making the aud claim optional?
Mostly brevity reasons. Also, if it is defined as REQUIRED, it will be enforced by 3rd party libraries which a company might want to integrate in their components/services. This essentially forces the company (albeit using Txn-Tokens within their trust domain only internally) to define and set the aud claim without added benefit.
Having aud REQUIRED also implies that the value needs to be validated somehow. I think this aspect should be mentioned in the spec, if it is really required. So every Token service must have the audience parameter validated as well as every service/worker receiving a Txn-Token must validate the aud claim against a configured accepted value (or list of values).
I think aud is required to prevent a TraT from being reused in a domain its not supposed to be used in.
Closing as per discussion in meeting on 2/2/24: https://hackmd.io/@rpc-sec-wg/Hk0ggi5ca