I believe John meant to refer to Google's adding of the *cid* claim rather than the *prn* claim.
On Thu, Dec 27, 2012 at 5:53 PM, John Bradley <ve7...@ve7jtb.com> wrote: > The discussion on the Connect call was that audience could be a literal or > an array. > > example > > "aud":["http://audiance1.com","http://audiance2.com"] > > In some cases the token may want to have more than a single audience. > (anthropomorphic license) > > in the simple case it would still be > "aud":"http://audiance1.com" > > While dynamic typing of variables is not my favourite thing in principal, > I am assured that this is common JSON syntax that people can deal with. > > The idea is to standardize this rather than everyone coming up with their > own way around the restriction as google did by adding the prn claim. > > At least this way if you only trust tokens with yourself as the audience > you have a easy way to check. > > John B. > > On 2012-12-27, at 7:57 PM, Anthony Nadalin <tony...@microsoft.com> wrote: > > What do you mean by multi-valued and what are the semantics of multi-vale ? > **** > > *From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf > Of *John Bradley > *Sent:* Thursday, December 27, 2012 5:32 AM > *To:* Mike Jones > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Must the Audience value in the Assertions Spec > be a URI?**** > ** ** > Agreed.**** > ** ** > We need to clarify that the value of the audience claim can be multi > valued as well. **** > ** ** > John B.**** > ** ** > On 2012-12-26, at 10:43 PM, Mike Jones <michael.jo...@microsoft.com> > wrote:**** > > > **** > > http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 > currently > says:**** > **** > > Audience A URI that identifies the party intended to process the**** > > assertion. The audience SHOULD be the URL of the Token Endpoint**** > > as defined in Section 3.2 > <http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of > OAuth 2.0 [RFC6749 <http://tools.ietf.org/html/rfc6749>].**** > > **** > > I think that “URI” should be changed to “value”, since audience values in > general need not be URIs. In particular, in some contexts OAuth client_id > values are used as audience values, and they need not be URIs. Also, SAML > allows multiple audiences (and indeed, the OAuth SAML profile is written in > terms of “an audience value” – not “the audience value”), and so the > generic Assertions spec should do likewise.**** > **** > Thus, I would propose changing the text above to the following:**** > **** > > Audience A value that identifies the parties intended to process the**** > > assertion. An audience value SHOULD be the URL of the Token > Endpoint**** > > as defined in Section 3.2 > <http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of > OAuth 2.0 [RFC6749 <http://tools.ietf.org/html/rfc6749>].**** > > **** > -- Mike**** > **** > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth**** > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth