oauth2.dev

ace_profile

IETF

Registry Context

Identifies the ACE profile that the resource server must use when communicating with the client.

Technical Summary

An optional OAuth token introspection response parameter. When present, it identifies the ACE profile the resource server must use with the client. Its format follows the profile identifier rules in RFC 9200 Section 5.8.4.3.

When Used

Included in a successful introspection response when the authorization server needs to tell the resource server which ACE profile to use. If omitted, the authorization server assumes the resource server already knows the profile.

Normative Requirements

Authorization servers

OPTIONAL
1
  1. RFC 9200 - Section 5.9.2

    Include the `ace_profile` parameter in a successful introspection response..

    This parameter is OPTIONAL.

Resource servers

MUST
1
  1. RFC 9200 - Section 5.9.2

    Use the profile identified by the `ace_profile` parameter when communicating with the client..

    Condition: When `ace_profile` is present in the introspection response.

    This indicates the profile that the RS MUST use with the client.

Implementations

MUST NOT
1
  1. RFC 9200 - Section 5.8.4.3

    Use the textual representation of an ACE profile identifier in CBOR-based interactions..

    Condition: When encoding `ace_profile` using CBOR.

    it MUST NOT be used for CBOR-based interactions.

MUST
1
  1. RFC 9200 - Section 5.9.4

    Map introspection request and response parameters to the CBOR types and integer map keys specified by the OAuth Token Introspection Response CBOR Mappings registry..

    Condition: When CBOR is used.

    the introspection request and response parameters MUST be mapped to CBOR types, as specified in the registry defined by Section 8.12, using the given integer abbreviation for the map key.

ACE profile identifier

MUST
1
  1. RFC 9200 - Section 5.8.4.3

    Uniquely identify its profile in the `ace_profile` parameter..

    MUST be used to uniquely identify itself in the `ace_profile` parameter.

ACE profile specification

MUST
1
  1. RFC 9200 - Section 5.8.4.3

    Specify an identifier for use in the `ace_profile` parameter..

    A profile MUST specify an identifier

ACE profile specifications

MUST
1
  1. RFC 9200 - Section 5.8.4.3

    Register their profile identifier in the ACE Profiles registry..

    Profiles MUST register their identifier in the registry defined in Section 8.8.

Specific implementations

MAY
1
  1. RFC 7662 - Section 2.2

    Extend the introspection response with service-specific response names as top-level members of the JSON object..

    Specific implementations MAY extend this structure with their own service-specific response names as top-level members of this JSON object.

Specification authors or registrants

MUST
1
  1. RFC 7662 - Section 2.2

    Register introspection response names in the OAuth Token Introspection Response registry..

    Condition: When a response name is intended for use across domains.

    Response names intended to be used across domains MUST be registered in the "OAuth Token Introspection Response" registry

Validation Guidance

error

If `ace_profile` is present, require the resource server to use the identified profile when communicating with the client.

info

Permit `ace_profile` to be absent; RFC 9200 states that absence means the authorization server assumes the resource server already knows which profile to use.

error

Validate that the value identifies a registered ACE profile and uniquely identifies that profile.

error

For CBOR-based introspection responses, reject a textual `ace_profile` value and apply the registered CBOR mapping, whose key is 38 and whose value type is integer.

info

For JSON-based introspection responses, treat `ace_profile` as a top-level response member using the textual representation of the ACE profile identifier.

Reference

Details

Entry Id
ace_profile
Name
ace_profile
Description
The ACE profile used between the client and RS.
Change Controller
IETF
Reference
RFC9200 - Section 5.9.2