Concern here is that value could be an “interpretation” and thus you may get different results that you don’t get when it’s a URI
From: [email protected] [mailto:[email protected]] On Behalf Of Torsten Lodderstedt Sent: Wednesday, December 26, 2012 10:46 PM To: Mike Jones Cc: [email protected] Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI? +1 Am 27.12.2012 um 02:43 schrieb Mike Jones <[email protected]<mailto:[email protected]>>: http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently says: Audience A URI that identifies the party intended to process the assertion. The audience SHOULD be the URL of the Token Endpoint as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>]. I think that “URI” should be changed to “value”, since audience values in general need not be URIs. In particular, in some contexts OAuth client_id values are used as audience values, and they need not be URIs. Also, SAML allows multiple audiences (and indeed, the OAuth SAML profile is written in terms of “an audience value” – not “the audience value”), and so the generic Assertions spec should do likewise. Thus, I would propose changing the text above to the following: Audience A value that identifies the parties intended to process the assertion. An audience value SHOULD be the URL of the Token Endpoint as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>]. -- Mike _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
