[Openid-specs-ab] Gudiance on aud vs azp
George Fletcher
gffletch at aol.com
Thu Apr 11 14:55:53 UTC 2013
Hi,
As I was working on some possible text for azp, I realized I have some
questions around aud as well. I figure there has to be some general
consensus about when and how to use them so figured I'd ask on the list
rather than filing a ticket.
I can see a couple of use cases for these fields in the id_token and the
values they contain seem like they can change depending on the context.
1. id_token used only by the client and never presented back to the AS
or related endpoint
aud = client_id of the requesting client
azp = not really needed at all
2. id_token used by the client but also presented to the AS for session
management or bootstrapping endpoints
aud = ??? (seems like it should be the identifier of the AS)
azp = client_id of the requesting client
3. id_token requested by a client and then presented by another client
to some endpoint
aud = identifier representing the endpoint that will receive the
id_token
azp = identifier of the client presenting the id_token
??? = no mention of the actual requesting client (is this needed?)
Other use cases?
For me, I'd prefer to collapse use cases 1 and 2 and require azp to be
the client_id of the requesting client and aud be the identifier of the
AS or resource endpoint.
Thanks,
George
--
George Fletcher <http://connect.me/gffletch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130411/15e01968/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XeC
Type: image/png
Size: 80590 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130411/15e01968/attachment.png>
More information about the Openid-specs-ab
mailing list