Closed PieterKas closed 1 year ago
Feedback from Brian Campbell
This requirement for the audience [https://www.ietf.org/archive/id/draft-identity-chaining-00.html#section-2.5.2-2.1] is already a requirement of [https://www.rfc-editor.org/rfc/rfc7521#section-5.2] (3rd bullet) and also [https://www.rfc-editor.org/rfc/rfc7523#section-3] (also 3rd bullet). But the way it's listed here makes it sound like an additional thing. It might be worthwhile to use the bullet here to be more specific about the aud value (it's been a bit of an interop pain point w/ JWT client auth fwiw) and say that it has to be the token endpoint or AS issuer identifier.
Feedback from Brian Campbell
This requirement for the audience [https://www.ietf.org/archive/id/draft-identity-chaining-00.html#section-2.5.2-2.1] is already a requirement of [https://www.rfc-editor.org/rfc/rfc7521#section-5.2] (3rd bullet) and also [https://www.rfc-editor.org/rfc/rfc7523#section-3] (also 3rd bullet). But the way it's listed here makes it sound like an additional thing. It might be worthwhile to use the bullet here to be more specific about the aud value (it's been a bit of an interop pain point w/ JWT client auth fwiw) and say that it has to be the token endpoint or AS issuer identifier.