That's right, sorry, there's not actually a conflict now as the PoP key distribution draft currently only uses the 'aud' parameter at the token endpoint.
I just assume it will end up being used at the authorization endpoint eventually because the need to disambiguate where the token will be used isn't limited to the token endpoint (we do have this implicit thing). As John mentioned, we have used an 'aud' parameter (interpreted as a resource location) in our AS on both endpoints to allow the client to indicate where it intends to use the token it's asking for, which enables the AS to apply unique policy to that token for the given resource (it's not the exact same thing as PoP key distribution but conceptually similar). So I was confusing implementation experience with what was actually in the PoP key distribution draft. That said, I do think that JAR should register JWT claims that it's likely to use in the Request Object as authorization endpoint parameters to avoid this kind of conflict. And I something like the 'aud' parameter is needed at both the token and authorization endpoints so PoP key distribution should use a different name. Or this potential independent draft, which I do think has value. I was planning on proposing something that's based on similar parameters being worked on in token exchange - we're just not there quite yet. On Fri, Nov 6, 2015 at 6:03 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net > wrote: > > Brian also pointed out that there is a conflict with the PoP key > distribution draft that uses the 'aud' parameter. John noted that > currently the 'aud' parameter is used towards a different endpoint, used > as a query parameter, but it would probably be good to take this into > account now. > > Justin noted that there is general utility to indicate the > audience. > Today people are forced to use the scope for WHAT, HOW and HOW LONG the > client wants to access a protected resource. The 'aud' describes the > WHAT aspect. He suggested to take it a general utility extension that > is indepdent of the PoP document. > > Hannes added a remark that the 'aud' parameter / claim was a > separate > document and then we added it to the PoP document. > > John said that we didn't had the wide-enough picture and we now > understand things better. > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
