Hannes - you make a good point.
I believe that the usage of "audience" in
http://www.ietf.org/id/draft-ietf-oauth-json-web-token-06.txt
also corresponds to <saml:destination> rather than <saml:audience>.
[quote-jwt06]
The aud (audience) claim identifies the audiences that the JWT is
intended for. Each principal
intended to process the JWT MUST identify itself with a value in
audience claim. If the principal
processing the claim does not identify itself with a value in the aud
claim, then the JWT MUST
be rejected. In the general case, the aud value is an array of case
sensitive strings, each
containing a StringOrURI value. In the special case when the JWT has one
audience, the aud
value MAY be a single case sensitive string containing a StringOrURI
value. The interpretation
of audience values is generally application specific. Use of this claim
is OPTIONAL.
[\quote]
I think this is a point of quite some confusion (a similar problem arose
during the SAML assertion drafts discussion
on Tuesday).
To the extent that JWT re-uses concepts and names from SAML, I dont
think this is the correct name with the
semantics implied by the processing rules given in jwt06.
- prateek
Hi Prateek,
I never had planned to make the term audience to align with the SAML
specification.
However, in case this could lead to confusion we could also define a different
term.
Btw, did you look at the JWT spec whether the audience term there is inline
with the SAML spec?
Ciao
Hannes
On Mar 14, 2013, at 11:34 AM, prateek mishra wrote:
Hi Hannes,
I wanted to point out that use of the term "audience" in this document is not
consistent with the SAML 2.0 specification.
What you are referring to here as "audience" corresponds to <saml:destination>
which is described as
[quote-saml2.0]
Destination [Optional]
A URI reference indicating the address to which this request has been sent.
This is useful to prevent
malicious forwarding of requests to unintended recipients, a protection that is
required by some
protocol bindings. If it is present, the actual recipient MUST check that the
URI reference identifies the
location at which the message was received. If it does not, the request MUST be
discarded. Some
protocol bindings may require the use of this attribute (see [SAMLBind]).
[\quote]
In contrast, <saml:audience> is a means of limiting the liability of the
asserting party and is described
in the following manner -
[quote-saml2.0]
<Audience>
A URI reference that identifies an intended audience. The URI reference MAY
identify a document
that describes the terms and conditions of audience membership. It MAY also
contain the unique
identifier URI from a SAML name identifier that describes a system entity (see
Section 8.3.6).
The audience restriction condition evaluates to Valid if and only if the SAML
relying party is a member of
one or more of the audiences specified.
The SAML asserting party cannot prevent a party to whom the assertion is
disclosed from taking action on
the basis of the information provided. However, the <AudienceRestriction>
element allows the
SAML asserting party to state explicitly that no warranty is provided to such a
party in a machine- and
human-readable form. While there can be no guarantee that a court would uphold
such a warranty
exclusion in every circumstance, the probability of upholding the warranty
exclusion is considerably
improved.
[\quote]
- prateek
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
