[OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?

http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently says: Audience A URI that identifies the party intended to process the assertion. The audience SHOULD be the URL of the Token Endpoint as defined in Section 3.2

Re: [OAUTH-WG] WGLC for draft-ietf-oauth-revocation-03

Hi John, thanks for your feedback. After having thought through this topic again I came to the conclusion that I want to have a simple spec, which doesn't unnessarily restricts implementations. OAuth leaves so much freedom to implementors (for good reasons), which we should preserve. What d

Re: [OAUTH-WG] WGLC for draft-ietf-oauth-revocation-03

We don't want to share grant information across multiple instances of public client. However we don't necessarily want to preclude multiple instances of a private client, Though how the AS would tell them apart is a interesting side question. >From a revocation point of view if you revoke the

Re: [OAUTH-WG] Review of Token Revocation draft

I agree that #1 is currently the best option.Tokens are supposed to be opaque to the client in principal. The AS is in the best position to sort it out of required. Nothing stops the token from being structured if it is an issue for the AS. John B. On 2012-12-25, at 9:41 AM, Torsten Lod