[OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?

Mike Jones Wed, 26 Dec 2012 17:43:30 -0800

http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently 
says:



   Audience  A URI that identifies the party intended to process the

      assertion.  The audience SHOULD be the URL of the Token Endpoint

      as defined in Section 
3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of 
OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>].


I think that "URI" should be changed to "value", since audience values in 
general need not be URIs.  In particular, in some contexts OAuth client_id 
values are used as audience values, and they need not be URIs.  Also, SAML 
allows multiple audiences (and indeed, the OAuth SAML profile is written in 
terms of "an audience value" - not "the audience value"), and so the generic 
Assertions spec should do likewise.

Thus, I would propose changing the text above to the following:


   Audience  A value that identifies the parties intended to process the

      assertion.  An audience value SHOULD be the URL of the Token Endpoint

      as defined in Section 
3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of 
OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>].

                                                            -- Mike

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?

Reply via email to