Hi Vladimir, > On 24. Sep 2019, at 08:03, Vladimir Dzhuvinov <vladi...@connect2id.com> wrote: > > When implementing 08 a question came up: > > * The token has multiple audiences (aud), e.g ["rs1", "rs2", "rs3"]. > > * The RS "rs1" is in the expected audience. > > Are there any considerations (privacy, etc) about returning the full > audience list ["rs1", "rs2", "rs3"] in the introspection response? > Theoretically, the RS shouldn't be interested which other RSs may > legally consume the token, so those may be excluded from the list, > returning only ["rs1”]
From a privacy perspective, I would expect the AS to reduce the data to the minimum required for the particular RS. In your case, the AS should narrow down the audience to ["rs1”]. From a security perspective, this also reduces the risk for replay at other RSs. https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08#section-8.1 best regards, Torsten. > ? > > Vladimir > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
