When implementing 08 a question came up: * The token has multiple audiences (aud), e.g ["rs1", "rs2", "rs3"].
* The RS "rs1" is in the expected audience. Are there any considerations (privacy, etc) about returning the full audience list ["rs1", "rs2", "rs3"] in the introspection response? Theoretically, the RS shouldn't be interested which other RSs may legally consume the token, so those may be excluded from the list, returning only ["rs1"]? Vladimir _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
