http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently
says:
Audience A URI that identifies the party intended to process the
assertion. The audience SHOULD be the URL of the Token Endpoint
as defined in Section
3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of
OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>].
I think that "URI" should be changed to "value", since audience values in
general need not be URIs. In particular, in some contexts OAuth client_id
values are used as audience values, and they need not be URIs. Also, SAML
allows multiple audiences (and indeed, the OAuth SAML profile is written in
terms of "an audience value" - not "the audience value"), and so the generic
Assertions spec should do likewise.
Thus, I would propose changing the text above to the following:
Audience A value that identifies the parties intended to process the
assertion. An audience value SHOULD be the URL of the Token Endpoint
as defined in Section
3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of
OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>].
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
