(reposting this to the list, due to an error on my part the mail got sent privately) > > > > - Can 'audience' be added to 'Resource Indicators for OAuth 2.0'? > > > > > > No, that's beyond it's current scope. And it is well past last call in > > > the WG. But note that a logical identifier can be used as the value > > > of the resource parameter. > > > > Would you recommend to put the AWS entity id in the resource parameter > > on the authorize request then? > > Yeah, that seems reasonable.
The more I think about this solution, the more I get convinced it is not going to work in the general case. The main problem in this is that the resource parameter has a strict format: it MUST be an absolute URI. This works for SAML entity id's and OIDC issuers, but it will not work in the general form of a client identifier. Many of the client identifiers we use are UUIDs. There is no way to put this in the resource parameter on the authorize request. The library we use to implement our OAuth2 endpoints is very strict in this. Best regards, Emond Papegaaij _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
