[Openid-specs-ab] [openid/connect] what is azp really? (issue #830)
Michael.Jones at microsoft.com
Thu Mar 28 15:54:25 UTC 2013
Suggested text clarifications to address this issue are highly encouraged. The current definition is as follows:
OPTIONAL. Authorized Presenter. This member identifies an OAuth 2.0 Client authorized to use this ID Token as an OAuth Access Token. It MUST contain the client_id of the Authorized Presenter. This Claim is only needed when the party requesting the ID Token is not the same as the audience of the ID Token. It MAY be included even when the Authorized Presenter is the same as the audience.
From: Brian Campbell [mailto:issues-reply at bitbucket.org]
Sent: Thursday, March 28, 2013 8:30 AM
To: Mike Jones
Subject: [openid/connect] what is azp really? (issue #830)
--- you can reply above this line ---
New issue 830: what is azp really?
Even though I'm *somewhat* familiar with how "azp" got in the spec, from kind of knowing about Google's use case of "cid", and sort of know what it's supposed to do, I find the current text in the spec to be pretty confusing.
For example, there's text now for azp that says it "identifies an OAuth 2.0 Client authorized to use this ID Token as an OAuth Access Token." But I don't know what that actually means. There's no way to identify who the client is using an OAuth bearer token. So what does it mean to be authorized? How does one check or enforce that?
I believe that more clarification about what azp really is and what the OP and client are supposed to do with it would be good. As well as other systems and actors.
Folks (George/Nat) on the call (March 28) suggested that it's more aptly described as an "issued to" or "registered to" respectively.
And I still think different people have somewhat different ideas about what this thing is.
This issue is admittedly somewhat ticky-tacky but I was asked on the March 28 call to go ahead and file something on it for posterity. So that's what I'm doing.
This is an issue notification from bitbucket.org. You are receiving this either because you are the owner of the issue, or you are following the issue.
More information about the Openid-specs-ab