ace_ profile
Registry Context
Identifies the ACE profile that the resource server must use when communicating with the client.
Technical Summary
An optional OAuth token introspection response parameter. When present, it identifies the ACE profile the resource server must use with the client. Its format follows the profile identifier rules in RFC 9200 Section 5.8.4.3.
When Used
Included in a successful introspection response when the authorization server needs to tell the resource server which ACE profile to use. If omitted, the authorization server assumes the resource server already knows the profile.
Normative Requirements
Authorization servers
RFC 9200 - Section 5.9.2
Include the `ace_profile` parameter in a successful introspection response..
This parameter is OPTIONAL.
Resource servers
RFC 9200 - Section 5.9.2
Use the profile identified by the `ace_profile` parameter when communicating with the client..
Condition: When `ace_profile` is present in the introspection response.
This indicates the profile that the RS MUST use with the client.
Implementations
RFC 9200 - Section 5.8.4.3
Use the textual representation of an ACE profile identifier in CBOR-based interactions..
Condition: When encoding `ace_profile` using CBOR.
it MUST NOT be used for CBOR-based interactions.
RFC 9200 - Section 5.9.4
Map introspection request and response parameters to the CBOR types and integer map keys specified by the OAuth Token Introspection Response CBOR Mappings registry..
Condition: When CBOR is used.
the introspection request and response parameters MUST be mapped to CBOR types, as specified in the registry defined by Section 8.12, using the given integer abbreviation for the map key.
ACE profile identifier
RFC 9200 - Section 5.8.4.3
Uniquely identify its profile in the `ace_profile` parameter..
MUST be used to uniquely identify itself in the `ace_profile` parameter.
ACE profile specification
RFC 9200 - Section 5.8.4.3
Specify an identifier for use in the `ace_profile` parameter..
A profile MUST specify an identifier
ACE profile specifications
RFC 9200 - Section 5.8.4.3
Register their profile identifier in the ACE Profiles registry..
Profiles MUST register their identifier in the registry defined in Section 8.8.
Specific implementations
RFC 7662 - Section 2.2
Extend the introspection response with service-specific response names as top-level members of the JSON object..
Specific implementations MAY extend this structure with their own service-specific response names as top-level members of this JSON object.
Specification authors or registrants
RFC 7662 - Section 2.2
Register introspection response names in the OAuth Token Introspection Response registry..
Condition: When a response name is intended for use across domains.
Response names intended to be used across domains MUST be registered in the "OAuth Token Introspection Response" registry
Validation Guidance
If `ace_profile` is present, require the resource server to use the identified profile when communicating with the client.
Permit `ace_profile` to be absent; RFC 9200 states that absence means the authorization server assumes the resource server already knows which profile to use.
Validate that the value identifies a registered ACE profile and uniquely identifies that profile.
For CBOR-based introspection responses, reject a textual `ace_profile` value and apply the registered CBOR mapping, whose key is 38 and whose value type is integer.
For JSON-based introspection responses, treat `ace_profile` as a top-level response member using the textual representation of the ACE profile identifier.
Reference
Details
- Entry Id
ace_profile - Name
ace_profile - Description
The ACE profile used between the client and RS.- Change Controller
IETF- Reference
RFC9200 - Section 5.9.2