[Openid-specs-ab] Gudiance on aud vs azp

George Fletcher gffletch at aol.com
Thu Apr 11 14:55:53 UTC 2013


As I was working on some possible text for azp, I realized I have some 
questions around aud as well. I figure there has to be some general 
consensus about when and how to use them so figured I'd ask on the list 
rather than filing a ticket.

I can see a couple of use cases for these fields in the id_token and the 
values they contain seem like they can change depending on the context.

1. id_token used only by the client and never presented back to the AS 
or related endpoint
     aud = client_id of the requesting client
     azp = not really needed at all

2. id_token used by the client but also presented to the AS for session 
management or bootstrapping endpoints
     aud = ??? (seems like it should be the identifier of the AS)
     azp = client_id of the requesting client

3. id_token requested by a client and then presented by another client 
to some endpoint
     aud =  identifier representing the endpoint that will receive the 
     azp = identifier of the client presenting the id_token

     ??? = no mention of the actual requesting client (is this needed?)

Other use cases?

For me, I'd prefer to collapse use cases 1 and 2 and require azp to be 
the client_id of the requesting client and aud be the identifier of the 
AS or resource endpoint.

George Fletcher <http://connect.me/gffletch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130411/15e01968/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XeC
Type: image/png
Size: 80590 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130411/15e01968/attachment-0001.png>

More information about the Openid-specs-ab mailing list