well.. the aud term came from googler's use of the term and not saml. I agree with Prateek that the intention of the jwt:aud is rather similar to saml:destination. JWT is imposing the processing rule on it while saml:audience is mainly concerned about the liability.
Nat 2013/3/15 Mike Jones <michael.jo...@microsoft.com>: > The JWT meaning of the term "audience" is intended to be the same as SAML. > Suggested wording clarifications would be welcomed. > > -- Mike > > -----Original Message----- > From: prateek mishra [mailto:prateek.mis...@oracle.com] > Sent: Thursday, March 14, 2013 11:53 AM > To: Hannes Tschofenig; Mike Jones > Cc: oauth@ietf.org > Subject: the meaning of audience in SAML vs. OAuth > > Hannes - you make a good point. > > I believe that the usage of "audience" in > http://www.ietf.org/id/draft-ietf-oauth-json-web-token-06.txt > > also corresponds to <saml:destination> rather than <saml:audience>. > > [quote-jwt06] > The aud (audience) claim identifies the audiences that the JWT is intended > for. Each principal intended to process the JWT MUST identify itself with a > value in audience claim. If the principal processing the claim does not > identify itself with a value in the aud claim, then the JWT MUST be rejected. > In the general case, the aud value is an array of case sensitive strings, > each containing a StringOrURI value. In the special case when the JWT has one > audience, the aud value MAY be a single case sensitive string containing a > StringOrURI value. The interpretation of audience values is generally > application specific. Use of this claim is OPTIONAL. > [\quote] > > I think this is a point of quite some confusion (a similar problem arose > during the SAML assertion drafts discussion on Tuesday). > > To the extent that JWT re-uses concepts and names from SAML, I dont think > this is the correct name with the semantics implied by the processing rules > given in jwt06. > > - prateek > > > > > >> Hi Prateek, >> >> I never had planned to make the term audience to align with the SAML >> specification. >> However, in case this could lead to confusion we could also define a >> different term. >> >> Btw, did you look at the JWT spec whether the audience term there is inline >> with the SAML spec? >> >> Ciao >> Hannes >> >> On Mar 14, 2013, at 11:34 AM, prateek mishra wrote: >> >>> Hi Hannes, >>> >>> I wanted to point out that use of the term "audience" in this document is >>> not consistent with the SAML 2.0 specification. >>> >>> >>> What you are referring to here as "audience" corresponds to >>> <saml:destination> which is described as >>> >>> [quote-saml2.0] >>> Destination [Optional] >>> A URI reference indicating the address to which this request has been >>> sent. This is useful to prevent malicious forwarding of requests to >>> unintended recipients, a protection that is required by some protocol >>> bindings. If it is present, the actual recipient MUST check that the >>> URI reference identifies the location at which the message was received. If >>> it does not, the request MUST be discarded. Some protocol bindings may >>> require the use of this attribute (see [SAMLBind]). >>> [\quote] >>> >>> In contrast, <saml:audience> is a means of limiting the liability of >>> the asserting party and is described in the following manner - >>> >>> [quote-saml2.0] >>> <Audience> >>> A URI reference that identifies an intended audience. The URI >>> reference MAY identify a document that describes the terms and >>> conditions of audience membership. It MAY also contain the unique >>> identifier URI from a SAML name identifier that describes a system entity >>> (see Section 8.3.6). >>> The audience restriction condition evaluates to Valid if and only if >>> the SAML relying party is a member of one or more of the audiences >>> specified. >>> >>> The SAML asserting party cannot prevent a party to whom the assertion >>> is disclosed from taking action on the basis of the information >>> provided. However, the <AudienceRestriction> element allows the SAML >>> asserting party to state explicitly that no warranty is provided to >>> such a party in a machine- and human-readable form. While there can >>> be no guarantee that a court would uphold such a warranty exclusion in >>> every circumstance, the probability of upholding the warranty exclusion is >>> considerably improved. >>> [\quote] >>> >>> - prateek >>> >>> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
