Hi Warren, Thanks for the input. By client what I meant was the application. If the application can be considered as a valid aud then since the AT is almost alway received to the application shouldn't the application be added as a mandatory aud for the AT (similar to the id_token)?
Best Regards, Janak Amarasena On Fri, Jul 15, 2022 at 2:54 PM Warren Parad <wpa...@rhosys.ch> wrote: > The aud claim should be the "application" or "resource server" that the > token would be used with, neither the authorization server nor the client > that receives the token should be the value. > > On Fri, Jul 15, 2022 at 7:27 AM Janak Amarasena <janakama...@gmail.com> > wrote: > >> Hi, >> >> I am sending this email to clarify something I read in the JSON Web Token >> (JWT) Profile for OAuth 2.0 Access Tokens specification(rfc9068). >> >> Regarding the “aud” claim in the access token the specification mentions >> that: >> (https://datatracker.ietf.org/doc/html/rfc9068#section-3) >> >> "If the request does not include a "resource" parameter, the >> authorization server MUST use a default resource indicator in the "aud" >> claim. If a "scope" parameter is present in the request, the authorization >> server SHOULD use it to infer the value of the default resource indicator >> to be used in the "aud" claim." >> >> It's not quite clear what the default resource indicator should usually >> be. My initial thoughts were that it should either be the authorization >> server or the client application. However, adding the client application as >> the default audience feels a bit counter intuitive as the client >> application would not generally consume the access token itself, but rather >> use it to access a resource. >> >> Best Regards, >> Janak Amarasena >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
