[Openid-specs-mobile-profile] Issue #155: aud to use in client_assertion passed to Backchannel Authentication Endpoint is murky? (openid/mobile)

[josephheenan at bitbucket.org]

New issue 155: aud to use in client_assertion passed to Backchannel Authentication Endpoint is murky?
https://bitbucket.org/openid/mobile/issues/155/aud-to-use-in-client_assertion-passed-to

Joseph Heenan:

We came across what looks like an oddity whilst implementing tests; I’m not sure if I’ve missed a specification or if there is something that could benefit from clarification:

 I can’t entirely figure out what the ‘aud’ value in a client assertion to the backchannel authentication endpoint should be.

The client assertion spec, [https://tools.ietf.org/html/rfc7521#section-5.1](https://tools.ietf.org/html/rfc7521#section-5.1), says:

```
 Audience
      A value that identifies the party or parties intended to process
      the assertion.  The URL of the token endpoint, as defined in
      Section 3.2 of OAuth 2.0 [RFC6749], can be used to indicate that
      the authorization server is a valid intended audience of the
      assertion
```

‌

[https://openid.net/specs/openid-connect-core-1\_0.html#ClientAuthentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) doesn’t seem to add any clarity.

By contrast, the CIBA request object is quite clear: “The Audience claim MUST contain the value of the Issuer Identifier for the OP, which identifies the Authorization Server as an intended audience.”

The three possibilities for the audience for client assertion seem to be:

1. the token endpoint \(as RFC7521 says\)
2. the backchannel authentication endpoint \(because that’s where the assertion is being sent\)
3. the issuer \(to match the CIBA request object\)

The server I’m trying against \(Authlete\) seems to have interpreted it as ‘2’.