Hello, I have a question regarding "JWT Response for OAuth Token Introspection" (draft-02).
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/?include_text=1 How to determine the value of "aud" in the response JWT? The example payload uses "https://protected.example.net/resource"; as the value of "aud". The example value implies that it represents the identifier of the target resource or the resource server, but how does an authorization server implementation know the identifier? I'm sorry if this has already been discussed. To be honest, I fear that some inconsistencies might occur in future by treating resource servers as clients. If I had to write the specification, I would start from defining "resource server metadata" (e.g. expired draft: https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/) and devising a way to register resource servers into an authorization server and issue resource server credentials (e.g. rs_id and rs_secret, RS JWK Set, etc.) in order to treat resource servers and clients as different entities explicitly. I hope that discussion for distinguishing "resource server authentication" from "client authentication" will be initiated sometime in future. Best Regards, Takahiko Kawasaki Authlete, Inc.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
