Hi, I am sending this email to clarify something I read in the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens specification(rfc9068).
Regarding the “aud” claim in the access token the specification mentions that: (https://datatracker.ietf.org/doc/html/rfc9068#section-3) "If the request does not include a "resource" parameter, the authorization server MUST use a default resource indicator in the "aud" claim. If a "scope" parameter is present in the request, the authorization server SHOULD use it to infer the value of the default resource indicator to be used in the "aud" claim." It's not quite clear what the default resource indicator should usually be. My initial thoughts were that it should either be the authorization server or the client application. However, adding the client application as the default audience feels a bit counter intuitive as the client application would not generally consume the access token itself, but rather use it to access a resource. Best Regards, Janak Amarasena
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
