Hi Evert, The audience parameter isn’t standard- it was implemented before a standard modeling the corresponding concept (resource indicators) was introduced in https://www.rfc-editor.org/rfc/rfc8707.html. Audience is mostly an alias of the resource parameter, hence i wouldn’t be too worried about implementing it security wise. Just take a look at the security section of the spec above (and the spec in geber) and make sure you take it into account.
On Mon, Apr 17, 2023 at 14:57 Evert Pot <m...@evertpot.com> wrote: > *This message originated outside your organization.* > > ------------------------------ > > Hi list, > > I'm the author a OAuth2 client library[1]. I received a feature request to > support the "audience" parameter on client_credentials, as seen on the > following two server implementations: > > - Auth0: > > https://auth0.com/docs/api/authentication?http#authorization-code-flow-with-pkce45 > - Kinde: > > https://kinde.com/docs/build/get-access-token-for-connecting-securely-to-kindes-api/ > > <https://urldefense.com/v3/__https://kinde.com/docs/build/get-access-token-for-connecting-securely-to-kindes-api/__;!!PwKahg!_lR-Zb-vtBO8gk1m2IOSxnXA4l4h7RsN8KownaSVx92s3Ivt3wHNp1sv0CEdlRLJ9tJVKRjGEA$> > > Is this parameter based on any standard or draft or are these non-standard > vendor extensions? I'm hesitant blindly adding support for these without > understanding the security implications. > > Evert > > [1]: https://github.com/badgateway/oauth2-client > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth