What do you mean by multi-valued and what are the semantics of multi-vale ?
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Thursday, December 27, 2012 5:32 AM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI? Agreed. We need to clarify that the value of the audience claim can be multi valued as well. John B. On 2012-12-26, at 10:43 PM, Mike Jones <michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> wrote: http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently says: Audience A URI that identifies the party intended to process the assertion. The audience SHOULD be the URL of the Token Endpoint as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>]. I think that "URI" should be changed to "value", since audience values in general need not be URIs. In particular, in some contexts OAuth client_id values are used as audience values, and they need not be URIs. Also, SAML allows multiple audiences (and indeed, the OAuth SAML profile is written in terms of "an audience value" - not "the audience value"), and so the generic Assertions spec should do likewise. Thus, I would propose changing the text above to the following: Audience A value that identifies the parties intended to process the assertion. An audience value SHOULD be the URL of the Token Endpoint as defined in Section 3.2<http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749<http://tools.ietf.org/html/rfc6749>]. -- Mike _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth