Agreed. We need to clarify that the value of the audience claim can be multi valued as well.
John B. On 2012-12-26, at 10:43 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 > currently says: > > Audience A URI that identifies the party intended to process the > assertion. The audience SHOULD be the URL of the Token Endpoint > as defined in Section 3.2 of OAuth 2.0 [RFC6749]. > > I think that “URI” should be changed to “value”, since audience values in > general need not be URIs. In particular, in some contexts OAuth client_id > values are used as audience values, and they need not be URIs. Also, SAML > allows multiple audiences (and indeed, the OAuth SAML profile is written in > terms of “an audience value” – not “the audience value”), and so the generic > Assertions spec should do likewise. > > Thus, I would propose changing the text above to the following: > > Audience A value that identifies the parties intended to process the > assertion. An audience value SHOULD be the URL of the Token Endpoint > as defined in Section 3.2 of OAuth 2.0 [RFC6749]. > > -- Mike > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
