On 07/02/2019 16:15, Hannes Tschofenig wrote:
Hi Ludwig,My interpretation of this is that "resource" refers to a single resourceNo. Here is the text from token exchange (see last sentence): resource
[...]
Multiple "resource" parameters may be used to indicate
that the issued token is intended to be used at the multiple
resources listed.
Enumerating the audience is not the same as addressing it by a group name.I agree that without too much stretching of the definition of the resource parameter I could use URIs as group identifiers, however the audience claim is defined to be "StringOrURI" so if someone defines an audience identified by a String that is not an URI how does a client ask for that with the resource parameter?
Or in short: Why don't you make your resource parameter mirror the "aud" claim?
/Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
