Yeah, the discussion was/is definitely about "other endpoints at the AS"
like revocation, introspection, device authorization, etc.
On Fri, May 31, 2019 at 12:47 PM George Fletcher wrote:
> So if by "other endpoints" we mean "other endpoints at the AS" then I
> think issuer makes a lot of sense
So if by "other endpoints" we mean "other endpoints at the AS" then I
think issuer makes a lot of sense and could be recommended value.
However, if the client assertion is being sent to an endpoint not
managed by the AS, then it should use a value that identifies that
"audience". In this case,
Dear OAuth WG
We have an issue that we are discussing in the OIDF MODRNA work group
relating to the Client Initiated Back Authentication spec (which is an
OAuth 2 extension). As the issue affects the wider OAuth ecosystem we
wanted to post it here and gain feedback from the OAuth Working Group.
F