There some folks out there that are using AUD to mean DST. Adding DST is confusing, if you want to use it that's fine but don't see a need to standardize every claim that someone comes up with
Sent from my Windows Phone ________________________________ From: Brian Campbell<mailto:bcampb...@pingidentity.com> Sent: 3/25/2015 2:19 PM To: Mike Jones<mailto:michael.jo...@microsoft.com> Cc: oauth<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] JWT Destination Claim FWIW, I did have that as an open issue in the draft: http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00#appendix-A Though the way I worded it probably shows my bias. On Wed, Mar 25, 2015 at 2:16 PM, Mike Jones <michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> wrote: Thanks for posting this, Brian. To get it down on the list, I’ll repeat my comment made in person that just as “aud” used to be single-valued and ended up being multi-valued, I suspect some applications would require the same thing of “dst” – at least when “aud” and “dst” are different. And even if “dst” becomes multi-valued, it’s OK for particular applications to require that it be single-valued in their usage. -- Mike From: OAuth [mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>] On Behalf Of Brian Campbell Sent: Wednesday, March 25, 2015 2:08 PM To: oauth Subject: [OAUTH-WG] JWT Destination Claim Here are the slides that I rushed though at the end of the Dallas meeting: https://www.ietf.org/proceedings/92/slides/slides-92-oauth-1.pdf And the -00 draft: http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00 In an informal discussion earlier this week John B. suggested that some additional thinking and/or clarification is needed with regard to what parts of the URI to include and check. Particularly with respect to query and fragment. And he's probably right.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth