The JWT meaning of the term "audience" is intended to be the same as SAML.  
Suggested wording clarifications would be welcomed.

                                -- Mike

-----Original Message-----
From: prateek mishra [mailto:prateek.mis...@oracle.com] 
Sent: Thursday, March 14, 2013 11:53 AM
To: Hannes Tschofenig; Mike Jones
Cc: oauth@ietf.org
Subject: the meaning of audience in SAML vs. OAuth

Hannes - you make a good point.

I believe that the usage of "audience" in 
http://www.ietf.org/id/draft-ietf-oauth-json-web-token-06.txt

also corresponds to <saml:destination> rather than <saml:audience>.

[quote-jwt06]
The aud (audience) claim identifies the audiences that the JWT is intended for. 
Each principal intended to process the JWT MUST identify itself with a value in 
audience claim. If the principal processing the claim does not identify itself 
with a value in the aud claim, then the JWT MUST be rejected. In the general 
case, the aud value is an array of case sensitive strings, each containing a 
StringOrURI value. In the special case when the JWT has one audience, the aud 
value MAY be a single case sensitive string containing a StringOrURI value. The 
interpretation of audience values is generally application specific. Use of 
this claim is OPTIONAL.
[\quote]

I think this is a point of quite some confusion (a similar problem arose during 
the SAML assertion drafts discussion on Tuesday).

To the extent that JWT re-uses concepts and names from SAML, I dont think this 
is the correct name with the semantics implied by the processing rules given in 
jwt06.

- prateek





> Hi Prateek,
>
> I never had planned to make the term audience to align with the SAML 
> specification.
> However, in case this could lead to confusion we could also define a 
> different term.
>
> Btw, did you look at the JWT spec whether the audience term there is inline 
> with the SAML spec?
>
> Ciao
> Hannes
>
> On Mar 14, 2013, at 11:34 AM, prateek mishra wrote:
>
>> Hi Hannes,
>>
>> I wanted to point out that use of the term "audience" in this document is 
>> not consistent with the SAML 2.0 specification.
>>
>>
>> What you are referring to here as "audience" corresponds to 
>> <saml:destination> which is described as
>>
>> [quote-saml2.0]
>> Destination [Optional]
>> A URI reference indicating the address to which this request has been 
>> sent. This is useful to prevent malicious forwarding of requests to 
>> unintended recipients, a protection that is required by some protocol 
>> bindings. If it is present, the actual recipient MUST check that the 
>> URI reference identifies the location at which the message was received. If 
>> it does not, the request MUST be discarded. Some protocol bindings may 
>> require the use of this attribute (see [SAMLBind]).
>> [\quote]
>>
>> In contrast, <saml:audience>  is a means of limiting the liability of 
>> the asserting party and is described in the following manner -
>>
>> [quote-saml2.0]
>>   <Audience>
>> A URI reference that identifies an intended audience. The URI 
>> reference MAY identify a document that describes the terms and 
>> conditions of audience membership. It MAY also contain the unique identifier 
>> URI from a SAML name identifier that describes a system entity (see Section 
>> 8.3.6).
>> The audience restriction condition evaluates to Valid if and only if 
>> the SAML relying party is a member of one or more of the audiences specified.
>>
>> The SAML asserting party cannot prevent a party to whom the assertion 
>> is disclosed from taking action on the basis of the information 
>> provided. However, the <AudienceRestriction> element allows the SAML 
>> asserting party to state explicitly that no warranty is provided to 
>> such a party in a machine- and human-readable form. While there can 
>> be no guarantee that a court would uphold such a warranty exclusion in every 
>> circumstance, the probability of upholding the warranty exclusion is 
>> considerably improved.
>> [\quote]
>>
>> - prateek
>>
>>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to