oauth-wg / oauth-identity-chaining

Draft specification for Identity Chaining
https://drafts.oauth.net/oauth-identity-chaining/draft-ietf-oauth-identity-chaining.html
Other
4 stars 3 forks source link

Clarify requirements for "aud" claim #49

Closed PieterKas closed 1 year ago

PieterKas commented 1 year ago

Feedback from Brian Campbell

This requirement for the audience [https://www.ietf.org/archive/id/draft-identity-chaining-00.html#section-2.5.2-2.1] is already a requirement of [https://www.rfc-editor.org/rfc/rfc7521#section-5.2] (3rd bullet) and also [https://www.rfc-editor.org/rfc/rfc7523#section-3] (also 3rd bullet). But the way it's listed here makes it sound like an additional thing. It might be worthwhile to use the bullet here to be more specific about the aud value (it's been a bit of an interop pain point w/ JWT client auth fwiw) and say that it has to be the token endpoint or AS issuer identifier.