no? On Mon, Jul 18, 2022 at 10:36 AM Janak Amarasena <janakama...@gmail.com> wrote:
> Hi Warren, > > Thanks for the input. By client what I meant was the application. If the > application can be considered as a valid aud then since the AT is almost > alway received to the application shouldn't the application be added as a > mandatory aud for the AT (similar to the id_token)? > > Best Regards, > Janak Amarasena > > On Fri, Jul 15, 2022 at 2:54 PM Warren Parad <wpa...@rhosys.ch> wrote: > >> The aud claim should be the "application" or "resource server" that the >> token would be used with, neither the authorization server nor the client >> that receives the token should be the value. >> >> On Fri, Jul 15, 2022 at 7:27 AM Janak Amarasena <janakama...@gmail.com> >> wrote: >> >>> Hi, >>> >>> I am sending this email to clarify something I read in the JSON Web >>> Token (JWT) Profile for OAuth 2.0 Access Tokens specification(rfc9068). >>> >>> Regarding the “aud” claim in the access token the specification mentions >>> that: >>> (https://datatracker.ietf.org/doc/html/rfc9068#section-3) >>> >>> "If the request does not include a "resource" parameter, the >>> authorization server MUST use a default resource indicator in the "aud" >>> claim. If a "scope" parameter is present in the request, the authorization >>> server SHOULD use it to infer the value of the default resource indicator >>> to be used in the "aud" claim." >>> >>> It's not quite clear what the default resource indicator should usually >>> be. My initial thoughts were that it should either be the authorization >>> server or the client application. However, adding the client application as >>> the default audience feels a bit counter intuitive as the client >>> application would not generally consume the access token itself, but rather >>> use it to access a resource. >>> >>> Best Regards, >>> Janak Amarasena >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
