[Dev] Audience(aud) value in OpenID Connect ID Token vs Token Introspection response

Gayan Gunawardana Mon, 21 Aug 2017 23:02:29 -0700

According to OpenID connect specification [1] "aud" value is client id with
identifiers for other audiences.


 {
   "iss": "https://server.example.com";,
   "sub": "24400320",
   "aud": "s6BhdRkqt3",
   "nonce": "n-0S6_WzA2Mj",
   "exp": 1311281970,
   "iat": 1311280970,
   "auth_time": 1311280969,
   "acr": "urn:mace:incommon:iap:silver"
  }

But in token introspection "aud" value is more like service provider URL
with identifiers for other audiences.

 {
      "active": true,
      "client_id": "l238j323ds-23ij4",
      "username": "jdoe",
      "scope": "read write dolphin",
      "sub": "Z5O3upPC88QrAjx00dis",
      "aud": "https://protected.example.net/resource";,
      "iss": "https://server.example.com/";,
      "exp": 1419356238,
      "iat": 1419350238,
      "extension_field": "twenty-seven"
     }

Can we have different Audience values for token introspection response and
ID Token ? If not we can have both as Audience values.

[1] http://openid.net/specs/openid-connect-core-1_0.html#IDToken
[2] https://tools.ietf.org/html/rfc7662#section-2.2

Thanks,
Gayan

-- 
Gayan Gunawardana
Senior Software Engineer; WSO2 Inc.; http://wso2.com/
Email: ga...@wso2.com
Mobile: +94 (71) 8020933

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Audience(aud) value in OpenID Connect ID Token vs Token Introspection response

Reply via email to