The JWT meaning of the term "audience" is intended to be the same as SAML.
Suggested wording clarifications would be welcomed.
-- Mike
-----Original Message-----
From: prateek mishra [mailto:prateek.mis...@oracle.com]
Sent: Thursday, March 14, 2013 11:53 AM
To: Hannes Tschofenig; Mike Jones
Cc: oauth@ietf.org
Subject: the meaning of audience in SAML vs. OAuth
Hannes - you make a good point.
I believe that the usage of "audience" in
http://www.ietf.org/id/draft-ietf-oauth-json-web-token-06.txt
also corresponds to <saml:destination> rather than <saml:audience>.
[quote-jwt06]
The aud (audience) claim identifies the audiences that the JWT is intended for.
Each principal intended to process the JWT MUST identify itself with a value in
audience claim. If the principal processing the claim does not identify itself
with a value in the aud claim, then the JWT MUST be rejected. In the general
case, the aud value is an array of case sensitive strings, each containing a
StringOrURI value. In the special case when the JWT has one audience, the aud
value MAY be a single case sensitive string containing a StringOrURI value. The
interpretation of audience values is generally application specific. Use of
this claim is OPTIONAL.
[\quote]
I think this is a point of quite some confusion (a similar problem arose during
the SAML assertion drafts discussion on Tuesday).
To the extent that JWT re-uses concepts and names from SAML, I dont think this
is the correct name with the semantics implied by the processing rules given in
jwt06.
- prateek
> Hi Prateek,
>
> I never had planned to make the term audience to align with the SAML
> specification.
> However, in case this could lead to confusion we could also define a
> different term.
>
> Btw, did you look at the JWT spec whether the audience term there is inline
> with the SAML spec?
>
> Ciao
> Hannes
>
> On Mar 14, 2013, at 11:34 AM, prateek mishra wrote:
>
>> Hi Hannes,
>>
>> I wanted to point out that use of the term "audience" in this document is
>> not consistent with the SAML 2.0 specification.
>>
>>
>> What you are referring to here as "audience" corresponds to
>> <saml:destination> which is described as
>>
>> [quote-saml2.0]
>> Destination [Optional]
>> A URI reference indicating the address to which this request has been
>> sent. This is useful to prevent malicious forwarding of requests to
>> unintended recipients, a protection that is required by some protocol
>> bindings. If it is present, the actual recipient MUST check that the
>> URI reference identifies the location at which the message was received. If
>> it does not, the request MUST be discarded. Some protocol bindings may
>> require the use of this attribute (see [SAMLBind]).
>> [\quote]
>>
>> In contrast, <saml:audience> is a means of limiting the liability of
>> the asserting party and is described in the following manner -
>>
>> [quote-saml2.0]
>> <Audience>
>> A URI reference that identifies an intended audience. The URI
>> reference MAY identify a document that describes the terms and
>> conditions of audience membership. It MAY also contain the unique identifier
>> URI from a SAML name identifier that describes a system entity (see Section
>> 8.3.6).
>> The audience restriction condition evaluates to Valid if and only if
>> the SAML relying party is a member of one or more of the audiences specified.
>>
>> The SAML asserting party cannot prevent a party to whom the assertion
>> is disclosed from taking action on the basis of the information
>> provided. However, the <AudienceRestriction> element allows the SAML
>> asserting party to state explicitly that no warranty is provided to
>> such a party in a machine- and human-readable form. While there can
>> be no guarantee that a court would uphold such a warranty exclusion in every
>> circumstance, the probability of upholding the warranty exclusion is
>> considerably improved.
>> [\quote]
>>
>> - prateek
>>
>>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
