From 1c28dedfb21273550d96345259ff33b40c044962 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Mon, 9 Oct 2023 14:06:59 -0400 Subject: [PATCH 1/3] clarify resource registration --- draft-ietf-gnap-resource-servers.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/draft-ietf-gnap-resource-servers.md b/draft-ietf-gnap-resource-servers.md index 0356d64..2f70818 100644 --- a/draft-ietf-gnap-resource-servers.md +++ b/draft-ietf-gnap-resource-servers.md @@ -631,7 +631,8 @@ token_format_required (string): token_introspection_required (boolean): : OPTIONAL. If present and set to `true`, the RS expects to make a token introspection request as described in {{introspection}}. If absent or set to `false`, the RS does not anticipate needing - to make an introspection request for tokens relating to this resource set. + to make an introspection request for tokens relating to this resource set. If the AS does not + support token introspection for this RS, the AS MUST return an error to the RS. The RS MUST identify itself with its own key and sign the request. @@ -677,16 +678,16 @@ any additional information the RS might need in future requests. resource_reference (string): : REQUIRED. A single string representing the list of resources registered in the request. The RS MAY make this handle available to a client instance as part of a - discovery response as described in {{GNAP}} or as + discovery response as described in {{Section 9.1 of GNAP}} or as documentation to client software developers. instance_id (string): : OPTIONAL. An instance identifier that the RS can use to refer to itself in future calls to - the AS, in lieu of sending its key by value. + the AS, in lieu of sending its key by value. See {{authentication}}. introspection_endpoint (string): : OPTIONAL. The introspection endpoint of this AS, used to allow the RS to perform - token introspection. {{introspection}} + token introspection. See {{introspection}}. ~~~ HTTP/1.1 200 OK @@ -698,6 +699,12 @@ Cache-Control: no-store } ~~~ +If a resource was previously registered, the AS MAY return the same resource reference +value as in previous responses. + +If the registration fails, the AS returns an HTTP 400 Bad Request error to the +RS indicating that the registration was not successful. + # Deriving a downstream token {#token-chaining} Some architectures require an RS to act as a client instance and use a derived access From 404f2356cf4a072bcea545f1eb64202149691792 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Mon, 9 Oct 2023 14:52:02 -0400 Subject: [PATCH 2/3] update token format request --- draft-ietf-gnap-resource-servers.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/draft-ietf-gnap-resource-servers.md b/draft-ietf-gnap-resource-servers.md index 2f70818..a0dbabb 100644 --- a/draft-ietf-gnap-resource-servers.md +++ b/draft-ietf-gnap-resource-servers.md @@ -623,10 +623,12 @@ resource_server (string or object): : REQUIRED. The identification used to authenticate the resource server making this call, either by value or by reference as described in {{authentication}}. -token_format_required (string): -: OPTIONAL. The token format required to access the identified resource. If the field is omitted, - the token format is at the discretion of the AS. If the AS does not support the requested - token format, the AS MUST return an error to the RS. +token_formats_supported (array of strings): +: OPTIONAL. The token formats the RS is able to process for accessing the resource. + The values in this array MUST be registered in the GNAP Token Formats Registry in {{IANA-token-format}}. + If the field is omitted, the token format is at the discretion of the AS. + If the AS does not support any of the requested + token formats, the AS MUST return an error to the RS. token_introspection_required (boolean): : OPTIONAL. If present and set to `true`, the RS expects to make a token introspection request as @@ -899,7 +901,7 @@ The table below contains the initial contents of the GNAP Resource Set Registrat |Name|Type|Reference| |access|array of strings/objects| {{rs-register-resource-handle}} of This document| |resource_server| string or object| {{rs-register-resource-handle}} of This document| -|token_format_required|string| {{rs-register-resource-handle}} of This document| +|token_formats_supported|array of strings| {{rs-register-resource-handle}} of This document| |token_introspection_required|boolean| {{rs-register-resource-handle}} of This document| ## Resource Set Registration Response Parameters {#IANA-resource-registration-response} From 8abcf2c95d507384a72cbb70d5cffdbfbc79d0ce Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Wed, 18 Oct 2023 19:05:56 -0400 Subject: [PATCH 3/3] add example of resource refernce usage --- draft-ietf-gnap-resource-servers.md | 32 +++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/draft-ietf-gnap-resource-servers.md b/draft-ietf-gnap-resource-servers.md index a0dbabb..80e5ba8 100644 --- a/draft-ietf-gnap-resource-servers.md +++ b/draft-ietf-gnap-resource-servers.md @@ -707,6 +707,38 @@ value as in previous responses. If the registration fails, the AS returns an HTTP 400 Bad Request error to the RS indicating that the registration was not successful. +The client instance can then use the `resource_reference` value as a string-type access +reference as defined in {{Section 8.1 of GNAP}}. This value MAY be combined with any other +additional access rights requested by the client instance. + +~~~ json +{ + "access_token": { + "access": [ + "FWWIKYBQ6U56NL1", + { + "type": "photo-api", + "actions": [ + "read", + "write", + "dolphin" + ], + "locations": [ + "https://server.example.net/", + "https://resource.local/other" + ], + "datatypes": [ + "metadata", + "images" + ] + }, + "dolphin-metadata" + ] + }, + "client": "client-12351.bdxqf" +} +~~~ + # Deriving a downstream token {#token-chaining} Some architectures require an RS to act as a client instance and use a derived access