[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: NEW Issue: Missing issuer and required claims inside tokenassertions
PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.
Artifact: spec / schema
Title: Missing issuer and required claims inside token assertions
The current WS-SecurityPolicy specification does not provide any guidance or explicit support for expressing requirement for multiple supporting token of the same type. The main issue is that it is not really possible to differentiate between individual tokens if they share the same token type and thus matching the actual tokens with the token assertions in the receiver’s policy. The only exception is IssuedToken assertion, where it is possible to differentiate tokens based on the token issuer parameter.
The proposal below adds the optional issuer parameter to all token assertions defined in the specification. The existing sp:Issuer element as defined for IssuedToken, SpnegoContextToken and SecureConversationToken assertions is reused for this purpose.
In addition to that it adds an optional claims parameter that allows the receiver to express required claims that have to be present in the token in order for the token to fulfill the token assertion requirements. The existing wst:Claims element from WS-Trust Issuance binding is reused for this purpose. The wst:Claims element allows the receiver to fine tune the token requirements in its policy.
The proposal below also clarifies the rules that govern the matching of the actual security tokens with the token assertions.
Please see the attached document for the proposal.