<div dir="ltr"><div dir="ltr">FWIW there's some discussion in the comments of <a href="https://bitbucket.org/openid/mobile/issues/155">https://bitbucket.org/openid/mobile/issues/155</a> <br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 20, 2019 at 3:30 PM Hans Zandbelt <<a href="mailto:hans.zandbelt@zmartzone.eu">hans.zandbelt@zmartzone.eu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I came across this on a similar note when implementing client authentication to the  (RFC 7009) token revocation endpoint and I'm interested in your views.<div><br></div><div>Hans.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 20, 2019 at 2:43 PM <<a href="mailto:josephheenan@bitbucket.org" target="_blank">josephheenan@bitbucket.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">New issue 155: aud to use in client_assertion passed to Backchannel Authentication Endpoint is murky?<br>
<a href="https://bitbucket.org/openid/mobile/issues/155/aud-to-use-in-client_assertion-passed-to" rel="noreferrer" target="_blank">https://bitbucket.org/openid/mobile/issues/155/aud-to-use-in-client_assertion-passed-to</a><br>
<br>
Joseph Heenan:<br>
<br>
We came across what looks like an oddity whilst implementing tests; I’m not sure if I’ve missed a specification or if there is something that could benefit from clarification:<br>
<br>
 I can’t entirely figure out what the ‘aud’ value in a client assertion to the backchannel authentication endpoint should be.<br>
<br>
The client assertion spec, [<a href="https://tools.ietf.org/html/rfc7521#section-5.1](https://tools.ietf.org/html/rfc7521%23section-5.1)" rel="noreferrer" target="_blank">https://tools.ietf.org/html/rfc7521#section-5.1](https://tools.ietf.org/html/rfc7521#section-5.1)</a>, says:<br>
<br>
```<br>
 Audience<br>
      A value that identifies the party or parties intended to process<br>
      the assertion.  The URL of the token endpoint, as defined in<br>
      Section 3.2 of OAuth 2.0 [RFC6749], can be used to indicate that<br>
      the authorization server is a valid intended audience of the<br>
      assertion<br>
```<br>
<br>
‌<br>
<br>
[<a href="https://openid.net/specs/openid-connect-core-1%5C_0.html#ClientAuthentication](https://openid.net/specs/openid-connect-core-1_0.html%23ClientAuthentication)" rel="noreferrer" target="_blank">https://openid.net/specs/openid-connect-core-1\_0.html#ClientAuthentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)</a> doesn’t seem to add any clarity.<br>
<br>
By contrast, the CIBA request object is quite clear: “The Audience claim MUST contain the value of the Issuer Identifier for the OP, which identifies the Authorization Server as an intended audience.”<br>
<br>
The three possibilities for the audience for client assertion seem to be:<br>
<br>
1. the token endpoint \(as RFC7521 says\)<br>
2. the backchannel authentication endpoint \(because that’s where the assertion is being sent\)<br>
3. the issuer \(to match the CIBA request object\)<br>
<br>
The server I’m trying against \(Authlete\) seems to have interpreted it as ‘2’.<br>
<br>
<br>
_______________________________________________<br>
Openid-specs-mobile-profile mailing list<br>
<a href="mailto:Openid-specs-mobile-profile@lists.openid.net" target="_blank">Openid-specs-mobile-profile@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail-m_-4284584575708989868gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div style="font-size:small"><a href="mailto:hans.zandbelt@zmartzone.eu" target="_blank">hans.zandbelt@zmartzone.eu</a></div><div style="font-size:small">ZmartZone IAM - <a href="http://www.zmartzone.eu" target="_blank">www.zmartzone.eu</a><br></div></div></div></div></div></div>
_______________________________________________<br>
Openid-specs-mobile-profile mailing list<br>
<a href="mailto:Openid-specs-mobile-profile@lists.openid.net" target="_blank">Openid-specs-mobile-profile@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div style="padding:0px;margin:0px">    <table style="border-collapse:collapse;padding:0px;margin:0px">                  <tbody><tr>                         <td style="width:113px">                                        <a href="https://www.pingidentity.com" target="_blank"></a><a href="https://www.pingidentity.com" target="_blank"><img alt="Ping Identity" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/ping-logo.png"></a>                                </td>                             <td>                                      <table>                                                                                           <tbody><tr>                         <td style="vertical-align:top">                                 <span style="color:rgb(230,29,60);display:inline-block;margin-bottom:3px;font-family:arial,helvetica,sans-serif;font-weight:bold;font-size:14px">Brian Campbell</span>                                                            <br>                                                              <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px">Distinguished Engineer</span>                                                              <br>                                                              <span style="font-family:arial,helvetica,sans-serif;font-size:14px;display:inline-block;margin-bottom:3px"><a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a></span>                                                              <br>                                                              <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px">                                                         w: +1 720.317.2061</span>                                                         <br>                                                              <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px">                                                         c: +1 303.918.9415</span>                                                 </td>                           </tr>                                       </tbody></table>                            </td>                     </tr>                     <tr>                                      <td colspan="2">          <table style="border-collapse:collapse;border:medium none;margin:8px 0px 0px;width:100%">             <tbody><tr style="height:40px;border-top:1px solid rgb(211,211,211);border-bottom:1px solid rgb(211,211,211)">              <td style="font-family:arial,helvetica,sans-serif;font-size:14px;font-weight:bold;color:rgb(64,71,75)">Connect with us: </td>              <td style="padding:4px 0px 0px 20px">                <a href="https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm" style="text-decoration:none;margin-right:16px" title="Ping on Glassdoor" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-glassdoor.png" style="border: medium none; margin: 0px;" alt="Glassdoor logo"></a>                                                                             <a href="https://www.linkedin.com/company/21870" style="text-decoration:none;margin-right:16px" title="Ping on LinkedIn" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-linkedin.png" style="border: medium none; margin: 0px;" alt="LinkedIn logo"></a>                                        <a href="https://twitter.com/pingidentity" style="text-decoration:none;margin-right:16px" title="Ping on Twitter" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-twitter.png" style="border: medium none; margin: 0px;" alt="twitter logo"></a>                                                                               <a href="https://www.facebook.com/pingidentitypage" style="text-decoration:none;margin-right:16px" title="Ping on Facebook" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-facebook.png" style="border: medium none; margin: 0px;" alt="facebook logo"></a>                                                                <a href="https://www.youtube.com/user/PingIdentityTV" style="text-decoration:none;margin-right:16px" title="Ping on Youtube" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-youtube.png" style="border: medium none; margin: 0px 0px 3px;" alt="youtube logo"></a> <a href="https://www.pingidentity.com/en/blog.html" style="text-decoration:none;margin-right:16px" title="Ping Blog" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-blog.png" style="border: medium none; margin: 0px;" alt="Blog logo"></a>                                                                                                                      </td>            </tr>          </tbody></table>                                </td>      </tr>    </tbody></table><img src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/freetrials-signature_header.png"></div><div style="padding:0px;margin:0px"><a href="https://www.pingidentity.com/content/ping/en/lp/d/p14e-trial.html" target="_blank"></a><a href="https://www.pingidentity.com/en/lp/d/p14e-trial.html?utm_source=Email&utm_medium=p14e-trial-sso-mfa-emailsig&utm_campaign=p14e-trial-sso-mfa-emailsig" target="_blank"></a><a href="https://www.pingidentity.com/en/lp/d/p14e-trial.html?utm_source=Email&utm_medium=p14e-trial-sso-mfa-emailsig&utm_campaign=p14e-trial-sso-mfa-emailsig" target="_blank"><img style="float: left;" src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/freetrials-signature-it.png"></a><a href="https://developer.pingidentity.com/en/signup.html" target="_blank"></a><a href="https://developer.pingidentity.com/en/signup.html" target="_blank"></a><a href="https://developer.pingidentity.com/en/signup.html" target="_blank"></a><a href="https://developer.pingidentity.com/en/signup.html?utm_source=email&utm_medium=P14C-Trial-Email&utm_campaign=P14C-Trial-Email&utm_content=link" target="_blank"></a><a href="https://developer.pingidentity.com/en/signup.html?utm_source=email&utm_medium=P14C-Trial-Email&utm_campaign=P14C-Trial-Email&utm_content=link" target="_blank"><img src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/freetrials-signature-dev.png"></a></div></div>

<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>