Hi
Given that the draft-tschofenig-oauth-audience [1] has expired, I'm
wondering if it is still relevant.
I know the token introspection response can provide the audience
value(s), but the question is really how a client is associated with a a
given audience in the first place. As such [1] may still make sense, for
example, I can think of two options:
1. the client audiences are set out of band during the client
registration time and all the tokens issued to that client will be
restricted accordingly
2. the client is requesting a specific audience during the grant to
token exchange as per [1]
I guess 1. is how it is done in practice or is 2. is also a valid option ?
Thanks, Sergey
[1] https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
