[Openid-specs-ab] Signed request object issuer and audience
Michael.Jones at microsoft.com
Wed Nov 27 22:23:07 UTC 2013
Core currently says:
If signed, the Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members, with their semantics being as defined in the JWT [JWT] specification.
In response to Justin's review comment that the "iss" and "aud" values should be specified, I started to write this:
The iss value MUST be the Client ID of the RP.
The aud value MUST be or include the OP's Issuer Identifier URL.
However, I then realized that the Client is already being communicated in the "client_id" request parameter, so also having it in the "iss" claim would be redundant.
I therefore propose that we explicitly say that an "iss" claim is not needed, since the Client ID identifies the request's originator, and require that the "client_id" parameter be present in all Request Objects. I would still add the sentence about the "aud" value.
Do people agree with this approach? I agree with Justin that we do need to specify what values to use.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab