Sorry yes, Google calls it cid.   Mike's TLA theory for JWT, JWE, JWS , JWK can 
be confusing at times.

On 2012-12-28, at 10:59 AM, Brian Campbell <[email protected]> wrote:

> I believe John meant to refer to Google's adding of the cid claim rather than 
> the prn claim.
> 
> 
> On Thu, Dec 27, 2012 at 5:53 PM, John Bradley <[email protected]> wrote:
> The discussion on the Connect call was that audience could be a literal or an 
> array.
> 
> example
> 
> "aud":["http://audiance1.com","http://audiance2.com";]
> 
> In some cases the token may want to have more than a single audience.  
> (anthropomorphic license)
> 
> in the simple case it would still be
> "aud":"http://audiance1.com";
> 
> While dynamic typing of variables is not my favourite thing in principal, I 
> am assured that this is common JSON syntax that people can deal with.
> 
> The idea is to standardize this rather than everyone coming up with their own 
> way around the restriction as google did by adding the prn claim.
> 
> At least this way if you only trust tokens with yourself as the audience you 
> have a easy way to check.
> 
> John B.
> 
> On 2012-12-27, at 7:57 PM, Anthony Nadalin <[email protected]> wrote:
> 
>> What do you mean by multi-valued and what are the semantics of multi-vale ?
>>  
>> From: [email protected] [mailto:[email protected]] On Behalf Of 
>> John Bradley
>> Sent: Thursday, December 27, 2012 5:32 AM
>> To: Mike Jones
>> Cc: [email protected]
>> Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a 
>> URI?
>>  
>> Agreed.
>>  
>> We need to clarify that the value of the audience claim can be multi valued 
>> as well. 
>>  
>> John B.
>>  
>> On 2012-12-26, at 10:43 PM, Mike Jones <[email protected]> wrote:
>> 
>> 
>> http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 
>> currently says:
>>  
>> 
>>    Audience  A URI that identifies the party intended to process the
>> 
>>       assertion.  The audience SHOULD be the URL of the Token Endpoint
>> 
>>       as defined in Section 3.2 of OAuth 2.0 [RFC6749].
>>  
>> I think that “URI” should be changed to “value”, since audience values in 
>> general need not be URIs.  In particular, in some contexts OAuth client_id 
>> values are used as audience values, and they need not be URIs.  Also, SAML 
>> allows multiple audiences (and indeed, the OAuth SAML profile is written in 
>> terms of “an audience value” – not “the audience value”), and so the generic 
>> Assertions spec should do likewise.
>>  
>> Thus, I would propose changing the text above to the following:
>>  
>>    Audience  A value that identifies the parties intended to process the
>>       assertion.  An audience value SHOULD be the URL of the Token Endpoint
>>       as defined in Section 3.2 of OAuth 2.0 [RFC6749].
>>  
>>                                                             -- Mike
>>  
>> _______________________________________________
>> OAuth mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to