Maybe the vendors implemented their non-standard extensions before the RFC was published.
Best regards, Karsten On 17.04.2023 23:57, Evert Pot wrote:
Hi list,I'm the author a OAuth2 client library[1]. I received a feature request to support the "audience" parameter on client_credentials, as seen on the following two server implementations:* Auth0: https://auth0.com/docs/api/authentication?http#authorization-code-flow-with-pkce45 * Kinde: https://kinde.com/docs/build/get-access-token-for-connecting-securely-to-kindes-api/Is this parameter based on any standard or draft or are these non-standard vendor extensions? I'm hesitant blindly adding support for these without understanding the security implications.Evert [1]: https://github.com/badgateway/oauth2-client _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
-- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Save the date: 11.-12.5.2023. Join us in celebrating the 5th anniversary of RuhrSec - the IT security conference in Bochum:https://www.ruhrsec.de/2023 Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
OpenPGP_0x4535C0E7DB16F148.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
