Concern here is that value could be an “interpretation” and thus you may get different results that you don’t get when it’s a URI
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Torsten Lodderstedt Sent: Wednesday, December 26, 2012 10:46 PM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI? +1 Am 27.12.2012 um 02:43 schrieb Mike Jones <michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>>: http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently says: Audience A URI that identifies the party intended to process the assertion. The audience SHOULD be the URL of the Token Endpoint as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>]. I think that “URI” should be changed to “value”, since audience values in general need not be URIs. In particular, in some contexts OAuth client_id values are used as audience values, and they need not be URIs. Also, SAML allows multiple audiences (and indeed, the OAuth SAML profile is written in terms of “an audience value” – not “the audience value”), and so the generic Assertions spec should do likewise. Thus, I would propose changing the text above to the following: Audience A value that identifies the parties intended to process the assertion. An audience value SHOULD be the URL of the Token Endpoint as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>]. -- Mike _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
