[Openid-specs-ab] JSON Web Token (JWT) Bearer Profile for OAuth 2.0
nov matake
nov at matake.jp
Thu Sep 1 09:54:38 UTC 2011
Ah, you are right.
It's a big showstopper..
On 2011/09/01, at 17:52, Andreas Åkre Solberg wrote:
> On 1. sep. 2011, at 09:09, nov matake wrote:
>
>> # Step 3. Token Request
>>
>> [Request]
>> * POST /token?grant_type=http://oauth.net/grant_type/jwt/1.0/bearer&jwt=YOUR_ID_TOKEN
>
> I think your proposal is interesting.
>
> However one showstopper that I see is the following text from the spec:
>
>> The JWT MUST contain an aud (audience) claim containing a URI reference that identifies the authorization server as the intended audience. The authorization server MUST verify that it is an intended audience for the JWT.
>
> An ID Token is issued by the authorization to the OP, and the audience would then NOT be including the authorization server.
>
> Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/4235ff1a/attachment.html>
More information about the Openid-specs-ab
mailing list