I agree that “URI” should be changed to “value” for audience in the Assertions Spec (draft-ietf-oauth-assertions) as well as the JWT incarnation of it (draft-ietf-oauth-jwt-bearer). The SAML incarnation (draft-ietf-oauth-saml2-bearer) should probably keep URI because that's how the core SAML specification (saml-core-2.0-os) defines audience.
On Wed, Dec 26, 2012 at 6:43 PM, Mike Jones <michael.jo...@microsoft.com>wrote: > > http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1currently > says: > **** > > ** ** > > Audience A URI that identifies the party intended to process the**** > > assertion. The audience SHOULD be the URL of the Token Endpoint**** > > as defined in Section 3.2 > <http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of > OAuth 2.0 [RFC6749 <http://tools.ietf.org/html/rfc6749>].**** > > ** ** > > I think that “URI” should be changed to “value”, since audience values in > general need not be URIs. In particular, in some contexts OAuth client_id > values are used as audience values, and they need not be URIs. Also, SAML > allows multiple audiences (and indeed, the OAuth SAML profile is written in > terms of “an audience value” – not “the audience value”), and so the > generic Assertions spec should do likewise.**** > > ** ** > > Thus, I would propose changing the text above to the following:**** > > ** ** > > Audience A value that identifies the parties intended to process the**** > > assertion. An audience value SHOULD be the URL of the Token > Endpoint**** > > as defined in Section 3.2 > <http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of > OAuth 2.0 [RFC6749 <http://tools.ietf.org/html/rfc6749>].**** > > ** ** > > -- Mike**** > > ** ** > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth