Sorry yes, Google calls it cid. Mike's TLA theory for JWT, JWE, JWS , JWK can be confusing at times.
On 2012-12-28, at 10:59 AM, Brian Campbell <[email protected]> wrote: > I believe John meant to refer to Google's adding of the cid claim rather than > the prn claim. > > > On Thu, Dec 27, 2012 at 5:53 PM, John Bradley <[email protected]> wrote: > The discussion on the Connect call was that audience could be a literal or an > array. > > example > > "aud":["http://audiance1.com","http://audiance2.com";] > > In some cases the token may want to have more than a single audience. > (anthropomorphic license) > > in the simple case it would still be > "aud":"http://audiance1.com"; > > While dynamic typing of variables is not my favourite thing in principal, I > am assured that this is common JSON syntax that people can deal with. > > The idea is to standardize this rather than everyone coming up with their own > way around the restriction as google did by adding the prn claim. > > At least this way if you only trust tokens with yourself as the audience you > have a easy way to check. > > John B. > > On 2012-12-27, at 7:57 PM, Anthony Nadalin <[email protected]> wrote: > >> What do you mean by multi-valued and what are the semantics of multi-vale ? >> >> From: [email protected] [mailto:[email protected]] On Behalf Of >> John Bradley >> Sent: Thursday, December 27, 2012 5:32 AM >> To: Mike Jones >> Cc: [email protected] >> Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a >> URI? >> >> Agreed. >> >> We need to clarify that the value of the audience claim can be multi valued >> as well. >> >> John B. >> >> On 2012-12-26, at 10:43 PM, Mike Jones <[email protected]> wrote: >> >> >> http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 >> currently says: >> >> >> Audience A URI that identifies the party intended to process the >> >> assertion. The audience SHOULD be the URL of the Token Endpoint >> >> as defined in Section 3.2 of OAuth 2.0 [RFC6749]. >> >> I think that “URI” should be changed to “value”, since audience values in >> general need not be URIs. In particular, in some contexts OAuth client_id >> values are used as audience values, and they need not be URIs. Also, SAML >> allows multiple audiences (and indeed, the OAuth SAML profile is written in >> terms of “an audience value” – not “the audience value”), and so the generic >> Assertions spec should do likewise. >> >> Thus, I would propose changing the text above to the following: >> >> Audience A value that identifies the parties intended to process the >> assertion. An audience value SHOULD be the URL of the Token Endpoint >> as defined in Section 3.2 of OAuth 2.0 [RFC6749]. >> >> -- Mike >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
