The discussion on the Connect call was that audience could be a literal or an array.
example "aud":["http://audiance1.com","http://audiance2.com";] In some cases the token may want to have more than a single audience. (anthropomorphic license) in the simple case it would still be "aud":"http://audiance1.com"; While dynamic typing of variables is not my favourite thing in principal, I am assured that this is common JSON syntax that people can deal with. The idea is to standardize this rather than everyone coming up with their own way around the restriction as google did by adding the prn claim. At least this way if you only trust tokens with yourself as the audience you have a easy way to check. John B. On 2012-12-27, at 7:57 PM, Anthony Nadalin <tony...@microsoft.com> wrote: > What do you mean by multi-valued and what are the semantics of multi-vale ? > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > John Bradley > Sent: Thursday, December 27, 2012 5:32 AM > To: Mike Jones > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a > URI? > > Agreed. > > We need to clarify that the value of the audience claim can be multi valued > as well. > > John B. > > On 2012-12-26, at 10:43 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > > > http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 > currently says: > > Audience A URI that identifies the party intended to process the > assertion. The audience SHOULD be the URL of the Token Endpoint > as defined in Section 3.2 of OAuth 2.0 [RFC6749]. > > I think that “URI” should be changed to “value”, since audience values in > general need not be URIs. In particular, in some contexts OAuth client_id > values are used as audience values, and they need not be URIs. Also, SAML > allows multiple audiences (and indeed, the OAuth SAML profile is written in > terms of “an audience value” – not “the audience value”), and so the generic > Assertions spec should do likewise. > > Thus, I would propose changing the text above to the following: > > Audience A value that identifies the parties intended to process the > assertion. An audience value SHOULD be the URL of the Token Endpoint > as defined in Section 3.2 of OAuth 2.0 [RFC6749]. > > -- Mike > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
