Re: [OAUTH-WG] Clarifications regarding aud claim in JWT AT profile

Mon, 18 Jul 2022 01:53:05 -0700 

Dear Warren
    I have resolved my issues thanks for your support.

Regards Deepak

On Mon, Jul 18, 2022, 14:14 Warren Parad <wparad=40rhosys...@dmarc.ietf.org>
wrote:

> no?
>
> On Mon, Jul 18, 2022 at 10:36 AM Janak Amarasena <janakama...@gmail.com>
> wrote:
>
>> Hi Warren,
>>
>> Thanks for the input. By client what I meant was the application. If the
>> application can be considered as a valid aud then since the AT is almost
>> alway received to the application shouldn't the application be added as a
>> mandatory aud for the AT (similar to the id_token)?
>>
>> Best Regards,
>> Janak Amarasena
>>
>> On Fri, Jul 15, 2022 at 2:54 PM Warren Parad <wpa...@rhosys.ch> wrote:
>>
>>> The aud claim should be the "application" or "resource server" that the
>>> token would be used with, neither the authorization server nor the client
>>> that receives the token should be the value.
>>>
>>> On Fri, Jul 15, 2022 at 7:27 AM Janak Amarasena <janakama...@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am sending this email to clarify something I read in the JSON Web
>>>> Token (JWT) Profile for OAuth 2.0 Access Tokens specification(rfc9068).
>>>>
>>>> Regarding the “aud” claim in the access token the specification
>>>> mentions that:
>>>> (https://datatracker.ietf.org/doc/html/rfc9068#section-3)
>>>>
>>>> "If the request does not include a "resource" parameter, the
>>>> authorization server MUST use a default resource indicator in the "aud"
>>>> claim. If a "scope" parameter is present in the request, the authorization
>>>> server SHOULD use it to infer the value of the default resource indicator
>>>> to be used in the "aud" claim."
>>>>
>>>> It's not quite clear what the default resource indicator should usually
>>>> be. My initial thoughts were that it should either be the authorization
>>>> server or the client application. However, adding the client application as
>>>> the default audience feels a bit counter intuitive as the client
>>>> application would not generally consume the access token itself, but rather
>>>> use it to access a resource.
>>>>
>>>> Best Regards,
>>>> Janak Amarasena
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to