My comments 1)Is audience parameter mandatory when handle token used ?
2)The value included in the aud parameter may not always be an absolute URI. For example refer to Figure 2 in http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-02 3)What are the mitigations RS would use to handle a scenario where there is a DDOS attack from clients sending invalid self-contained or handle tokens ? 4) Step (2): When the client interacts with the token endpoint to obtain an access token it MUST populate the newly defined 'audience' parameter with the information obtained in step (0). Nit> Replace 'audience' with 'aud' 5)Figure 3 Comment> Please explain what kty, kid, and k mean ? Cheers, -Tiru
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
