rfc9201v2.txt   rfc9201.txt 
skipping to change at line 139 skipping to change at line 139
MUST verify that the client really is in possession of the MUST verify that the client really is in possession of the
corresponding key. Profiles of [RFC9200] using this specification corresponding key. Profiles of [RFC9200] using this specification
MUST define the PoP method used by the AS if they allow clients to MUST define the PoP method used by the AS if they allow clients to
use this request parameter. Values of this parameter follow the use this request parameter. Values of this parameter follow the
syntax and semantics of the cnf claim either from Section 3.1 of syntax and semantics of the cnf claim either from Section 3.1 of
[RFC8747] for CBOR-based interactions or from Section 3.1 of [RFC8747] for CBOR-based interactions or from Section 3.1 of
[RFC7800] for JSON-based interactions. [RFC7800] for JSON-based interactions.
Figure 1 shows a request for an access token using the req_cnf Figure 1 shows a request for an access token using the req_cnf
parameter to request a specific public key as a PoP key. The content parameter to request a specific public key as a PoP key. The content
is displayed in CBOR diagnostic notation without abbreviations and is displayed in CBOR diagnostic notation with line breaks for better
with line breaks for better readability. readability.
Header: POST (Code=0.02) Header: POST (Code=0.02)
Uri-Host: "as.example.com" Uri-Host: "as.example.com"
Uri-Path: "token" Uri-Path: "token"
Content-Format: "application/ace+cbor" Content-Format: application/ace+cbor
Payload: Payload:
{ {
"req_cnf" : { / req_cnf / 4 : {
"COSE_Key" : { / COSE_Key / 1 : {
"kty" : "EC2", / kty / 1 : 2 /EC2/,
"kid" : h'11', / kid / 2 : h'11',
"crv" : "P-256", / crv / -1 : 1 /P-256/,
"x" : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24 / x / -2 : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24
4DC189F745228255A219A86D6A09EFF', 4DC189F745228255A219A86D6A09EFF',
"y" : h'20138BF82DC1B6D562BE0FA54AB7804A3 / y / -3 : h'20138BF82DC1B6D562BE0FA54AB7804A3
A64B6D72CCFED6B6FB6ED28BBFC117E' A64B6D72CCFED6B6FB6ED28BBFC117E'
} }
} }
} }
Figure 1: Example Request for an Access Token Bound to an Figure 1: Example Request for an Access Token Bound to an
Asymmetric Key Asymmetric Key
3.2. AS-to-Client Response 3.2. AS-to-Client Response
This section defines the following additional parameters for an AS This section defines the following additional parameters for an AS
skipping to change at line 195 skipping to change at line 195
without additional information. Values of this parameter follow without additional information. Values of this parameter follow
the syntax and semantics of the cnf claim either from Section 3.1 the syntax and semantics of the cnf claim either from Section 3.1
of [RFC8747] for CBOR-based interactions or from Section 3.1 of of [RFC8747] for CBOR-based interactions or from Section 3.1 of
[RFC7800] for JSON-based interactions. See Section 5 for [RFC7800] for JSON-based interactions. See Section 5 for
additional discussion of the usage of this parameter. additional discussion of the usage of this parameter.
Figure 2 shows an AS response containing a token and a cnf parameter Figure 2 shows an AS response containing a token and a cnf parameter
with a symmetric PoP key. with a symmetric PoP key.
Header: Created (Code=2.01) Header: Created (Code=2.01)
Content-Format: "application/ace+cbor" Content-Format: application/ace+cbor
Payload: Payload:
{ {
"access_token" : h'4A5015DF686428 ... / access_token / 1 : h'4A5015DF686428 ...
(remainder of CWT omitted for brevity; (remainder of CWT omitted for brevity;
CWT contains COSE_Key in the "cnf" claim)', CWT contains COSE_Key in the "cnf" claim)',
"cnf" : { / cnf / 8 : {
"COSE_Key" : { / COSE_Key / 1 : {
"kty" : "Symmetric", / kty / 1 : 4 / Symmetric /,
"kid" : h'DFD1AA97', / kid / 2 : h'DFD1AA97',
"k" : h'849B5786457C1491BE3A76DCEA6C427108' / k / -1 : h'849B5786457C1491BE3A76DCEA6C427108'
} }
} }
} }
Figure 2: Example AS Response with an Access Token Bound to a Figure 2: Example AS Response with an Access Token Bound to a
Symmetric Key Symmetric Key
Figure 3 shows an AS response containing a token bound to a Figure 3 shows an AS response containing a token bound to a
previously requested asymmetric PoP key (not shown) and an rs_cnf previously requested asymmetric PoP key (not shown) and an rs_cnf
parameter containing the public key of the RS. parameter containing the public key of the RS.
Header: Created (Code=2.01) Header: Created (Code=2.01)
Content-Format: "application/ace+cbor" Content-Format: application/ace+cbor
Payload: Payload:
{ {
"access_token" : h'D08343A1010AA1054D2A45DF6FBC5A5A ... / access_token / 1 : h'D08343A1010AA1054D2A45DF6FBC5A5A ...
(remainder of CWT omitted for brevity)', (remainder of CWT omitted for brevity)',
"rs_cnf" : { / rs_cnf / 41 : {
"COSE_Key" : { / COSE_Key / 1 : {
"kty" : "EC2", / kty / 1 : 2 /EC2/,
"kid" : h'12', / kid / 2 : h'12',
"crv" : "P-256", / crv / -1 : 1 /P-256/,
"x" : h'BCEE7EAAC162F91E6F330F5771211E220 / x / -2 : h'BCEE7EAAC162F91E6F330F5771211E220
B8B546C96589B0AC4AD0FD24C77E1F1', B8B546C96589B0AC4AD0FD24C77E1F1',
"y" : h'C647B38C55EFBBC4E62E651720F002D5D / y / -3 : h'C647B38C55EFBBC4E62E651720F002D5D
75B2E0C02CD1326E662BCA222B90416' 75B2E0C02CD1326E662BCA222B90416'
} }
} }
} }
Figure 3: Example AS Response Including the RS's Public Key Figure 3: Example AS Response Including the RS's Public Key
4. Parameters for the Introspection Endpoint 4. Parameters for the Introspection Endpoint
This section defines the use of CBOR instead of JSON for the cnf This section defines the use of CBOR instead of JSON for the cnf
introspection response parameter specified in Section 9.4 of introspection response parameter specified in Section 9.4 of
skipping to change at line 253 skipping to change at line 253
If CBOR is used instead of JSON in an interaction with the If CBOR is used instead of JSON in an interaction with the
introspection endpoint, the AS MUST use the parameter mapping introspection endpoint, the AS MUST use the parameter mapping
specified in Table 1 and the value must follow the syntax of cnf specified in Table 1 and the value must follow the syntax of cnf
claim values from Section 3.1 of [RFC8747]. claim values from Section 3.1 of [RFC8747].
Figure 4 shows an AS response to an introspection request including Figure 4 shows an AS response to an introspection request including
the cnf parameter to indicate the PoP key bound to the token. the cnf parameter to indicate the PoP key bound to the token.
Header: Created (Code=2.01) Header: Created (Code=2.01)
Content-Format: "application/ace+cbor" Content-Format: application/ace+cbor
Payload: Payload:
{ {
"active" : true, / active / 10 : true,
"scope" : "read", / scope / 9 : "read",
"aud" : "tempSensor4711", / aud / 3 : "tempSensor4711",
"cnf" : { / cnf / 8 : {
"COSE_Key" : { / COSE_Key / 1 : {
"kty" : "EC2", / kty / 1 : 2 /EC2/,
"kid" : h'11', / kid / 2 : h'11',
"crv" : "P-256", / crv / -1 : 1 /P-256/,
"x" : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24 / x / -2 : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24
4DC189F745228255A219A86D6A09EFF', 4DC189F745228255A219A86D6A09EFF',
"y" : h'20138BF82DC1B6D562BE0FA54AB7804A3 / y / -3 : h'20138BF82DC1B6D562BE0FA54AB7804A3
A64B6D72CCFED6B6FB6ED28BBFC117E' A64B6D72CCFED6B6FB6ED28BBFC117E'
} }
} }
} }
Figure 4: Example Introspection Response Figure 4: Example Introspection Response
5. Confirmation Method Parameters 5. Confirmation Method Parameters
The confirmation method parameters are used in [RFC9200] as follows: The confirmation method parameters are used in [RFC9200] as follows:
 End of changes. 11 change blocks. 
43 lines changed or deleted 43 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/