Section 3 <https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-06#section-3> has,
"If signed, the Authorization Request Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience) as members, with their semantics being the same as defined in the JWT [RFC7519 <https://tools.ietf.org/html/rfc7519>] specification." however OAuth doesn't really define an identifier for an AS (like Connect does with its Issuer). What value should a client use for 'aud' to identify the AS? The example later in the section has "aud": "https://server.example.com";. However, the example seems to have just been copied from OpenID Connect <http://openid.net/specs/openid-connect-core-1_0.html#RequestObject> and is using the Connect concept of Issuer which isn't currently defined or meaningful in the context of this document.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
