[Openid-specs-ab] [openid/connect] JWT aud claim issues (issue #689)
Brian Campbell
issues-reply at bitbucket.org
Tue Dec 18 23:42:01 UTC 2012
--- you can reply above this line ---
New issue 689: JWT aud claim issues
https://bitbucket.org/openid/connect/issue/689/jwt-aud-claim-issues
Brian Campbell:
This ticket filed at the request of Mike Jones after the 17-Dec-12 call: http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20121217/002699.html
The current definition of aud in JWT limits the claim to having a single value [http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-05#section-4.1.5 ]. Connect mandates that aud in an ID Token be the OAuth 2.0 client_id of the Client [http://openid.net/specs/openid-connect-messages-1_0-13.html#id_token].
This situation potentially limits the use of the ID token in other contexts. For example, an ID Token can't really be used in an JWT Bearer Assertion (http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03) flow back to the issuing AS or to some other entity.
I'm not sure exactly what changes might be in scope for Connect.
I made a proposal to the OAuth WG regarding allowing aud to have more than one value in this thread: http://www.ietf.org/mail-archive/web/oauth/current/msg10285.html
And there's some additional discussion about the subject in general in this thread on the connect list:
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20121217/002708.html
Responsible: mbj
--
This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.
More information about the Openid-specs-ab
mailing list