From: Jan Alexander
Sent: Tuesday, January 30, 2007 10:44 PM
Cc: Marc Goodner; Greg Carpenter
Subject: NEW Issue: Missing issuer and required claims inside token
PLEASE DO NOT REPLY TO THIS
EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will
notify the list when that has occurred.
Artifact: spec / schema
Title: Missing issuer and required claims inside token
The current WS-SecurityPolicy
specification does not provide any guidance or explicit support for expressing
requirement for multiple supporting token of the same type. The main issue is
that it is not really possible to differentiate between individual tokens if
they share the same token type and thus matching the actual tokens with the
token assertions in the receiver’s policy. The only exception is IssuedToken
assertion, where it is possible to differentiate tokens based on the token
The proposal below adds the
optional issuer parameter to all token assertions defined in the specification.
The existing sp:Issuer element as defined for IssuedToken, SpnegoContextToken
and SecureConversationToken assertions is reused for this purpose.
In addition to that it adds
an optional claims parameter that allows the receiver to express required
claims that have to be present in the token in order for the token to fulfill
the token assertion requirements. The existing wst:Claims
element from WS-Trust Issuance binding is reused for this purpose. The wst:Claims element allows the receiver to fine tune the token
requirements in its policy.
The proposal below also clarifies
the rules that govern the matching of the actual security tokens with the token
see the attached document for the proposal.