<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";
color:#003366;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:788088648;
mso-list-type:hybrid;
mso-list-template-ids:-1551984132 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><a href="http://openid.bitbucket.org/openid-connect-core-1_0.html#IDTokenValidation">http://openid.bitbucket.org/openid-connect-core-1_0.html#IDTokenValidation</a> contains this text that George asked about in his review:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">7. If the
</span><tt><span lang="EN">alg</span></tt><span lang="EN" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"> parameter of the JWT header is a MAC based algorithm such as
</span><tt><span lang="EN">HS256</span></tt><span lang="EN" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">,
</span><tt><span lang="EN">HS384</span></tt><span lang="EN" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">, or
</span><tt><span lang="EN">HS512</span></tt><span lang="EN" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">, the octets of the UTF-8 representation of the
</span><tt><span lang="EN">client_secret</span></tt><span lang="EN" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"> corresponding to the
</span><tt><span lang="EN">client_id</span></tt><span lang="EN" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"> contained in the
</span><tt><span lang="EN">aud</span></tt><span lang="EN" style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"> (audience) Claim are used as the key to validate the signature.
<span style="background:yellow;mso-highlight:yellow">Multiple audiences are not supported for MAC based algorithms.</span></span><span style="font-size:10.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">George wrote:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">“Why not? Wouldn't the secret associated with the azp work for the client to validate the id_token? If we want interoperability across the use of audience and azp we are going to need to describe how it works in
an extension document. It is not clear from this spec how it is to work and I was on most of the calls:)”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">These questions arise:<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Does anyone remember the history behind the highlighted sentence? I’m pretty sure that this was written before we had an “azp” claim.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>If there’s an “azp” claim and an “aud” claim and the values are different, which Client Secret would be the right one to use as the key value? (George seems to be suggesting that it’s the one associated with the Client ID in the “azp”
value.)<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>If we did want to relax the restriction prohibiting multiple audiences, which value would be used for the key? And would all the parties that need to valid the ID Token signature actually have access to this value?<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Or should we leave the text above as-is for now, and deal with this case as an extension later, if a need for it ever comes up?<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>If we’re not defining how multi-valued audiences would work with MAC signatures for now, should we also tighten this be requiring that any “azp” value that is include have the same value as the single-valued audience value?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> -- Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>