[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue PR022: Assertion to allow STS to require requestor to specifyscope of issued token
PR022 From: Marc Goodner This one seems to have slipped
through the cracks last week. From: Marc Goodner
[mailto:mgoodner@microsoft.com] PLEASE DO NOT
REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A
NUMBER. The issues
coordinators will notify the list when that has occurred. Protocol: ws-securitypolicy Artifact: spec / schema Type: design Title: Assertion to allow STS to require
requestor to specify scope of issued token Description: WS-Trust
defines the rules for interpreting the combinations of when a requestor
specifies token scope and/or when the issuer returns token scope using the
AppliesTo element. However, there is no way to give an STS control over when a
requestor may/should specify the AppliesTo element in the RST request, and
there are scenarios when such control would be useful. Of course, the STS
always has the final say and can refuse a request lacking suitable AppliesTo,
but without any a priori indication to a requestor that did not normally
include AppliesTo info, the only option would be to fault and then retry. It would be
useful to introduce a policy assertion that allows an STS to specify the
requirement for scope information to be included in the form of AppliesTo in
the RST. It would represent an intersectable behavior, and can very naturally
fit under the top-level Trust assertion already defined in WS-SecurityPolicy
that pertains to WS-Trust exchanges. Related
issues: None. Proposed
Resolution: Modify as follows. Add
<sp:RequiresAppliesTo/>? to the exemplar of Section 10.1 Trust13
Assertion (shown below in bold) with the following definition. <sp:Trust13 xmlns:sp="..." ... > <sp:RequireRequestSecurityTokenCollection
/>? <sp:RequireAppliesTo />? /sp:Trust10/wsp:Policy/sp:RequireAppliesTo This
optional element is a policy assertion indicates that the STS requires the requestor
to specify the scope for the issued token using wsp:AppliesTo in the RST. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]