[Openid-specs-ab] Signed request object issuer and audience

Mike Jones Michael.Jones at microsoft.com
Wed Nov 27 22:23:07 UTC 2013


Core currently says:
If signed, the Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members, with their semantics being as defined in the JWT [JWT] specification.

In response to Justin's review comment that the "iss" and "aud" values should be specified, I started to write this:
The iss value MUST be the Client ID of the RP.
The aud value MUST be or include the OP's Issuer Identifier URL.

However, I then realized that the Client is already being communicated in the "client_id" request parameter, so also having it in the "iss" claim would be redundant.

I therefore propose that we explicitly say that an "iss" claim is not needed, since the Client ID identifies the request's originator, and require that the "client_id" parameter be present in all Request Objects.  I would still add the sentence about the "aud" value.

Do people agree with this approach?  I agree with Justin that we do need to specify what values to use.

                                                                -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131127/ce0e1d06/attachment-0001.html>


More information about the Openid-specs-ab mailing list