Why are iss and aud not present when creating a stream (Sec 7.1.1.1)?

Question

Why are iss and aud not present when creating a stream (Sec 7.1.1.1)?

independentid opened this issue a year ago · 5 comments

An SSF server may have events from multiple publishers and support multiple receivers.

In particular, without an Aud parameter how does the server know who it is sending to? If not supplied, how is Aud calculated for the response?

My use cases require iss and aud parameters in addition to events requested.

Answer 1 · 2023-09-05T13:16:56.000Z

This is a good call out. It used to be that the Transmitter knew the Aud based on the bearer token. But I think the recent changes we've been discussing about decoupling SSF from OAuth means that we should make Aud a Receiver-supplied value.

Answer 2 · 2023-09-05T13:17:38.000Z

Iss, on the other hand, is always known by the transmitter, and should remain a Transmitter-supplied value

Answer 3 · 2023-09-05T15:31:54.000Z

An SSF server may have multiple event sources behind it. By not having iss configurable, the SSF server would have to re-publish (ie sign) each event. This would also make it harder (as in non-standard) for the receiver to select which sources it wants.

Answer 4 · 2023-09-22T18:10:24.000Z

As we decouple OAuth from SSF, we will need receiver to indicate what the aud claim should be in the SETs. Making this as a must have field in the stream create request. It also makes sense to add it in the update request

Answer 5 · 2023-09-26T01:13:59.000Z

Issue #30 is related to this.