[Openid-specs-ab] OpenID Connect and Identity Delegation

[Mike Jones]

I think I disagree with this statement.  I had thought that without an "azp" claim, there is exactly one authorized presenter - the client that requested the token.

All of this discussion does point out that "azp" truly is underspecified - which was Brian's primary observation.  Otherwise we wouldn't have experts who wrote the specs with different views on what the claim means.

                                                                -- Mike

From: Nat Sakimura [mailto:sakimura at gmail.com]
Sent: Thursday, March 28, 2013 4:26 PM
To: Tim Bray
Cc: Mike Jones; openid-specs-ab
Subject: Re: [Openid-specs-ab] OpenID Connect and Identity Delegation

+1 ID Token without azp is equivalent to say, "azp":"*". That's what we call as bearer. In essence, azp is scoping the "from" and aud is scoping the "to".

As to the text itself is concerned, there has been a request from Breno on the text, however, and we should take that into account as well.

Nat


2013/3/29 Tim Bray <tbray at textuality.com<mailto:tbray at textuality.com>>
I agree with Mike's characterization. Why not include that exact sentence in the spec?

On Thu, Mar 28, 2013 at 11:06 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
An audience is a party that the token can be legally presented to.  The authorized presenter (azp) is a party that can legally present the token to those audiences.

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net> [mailto:openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of Brian Campbell
Sent: Thursday, March 28, 2013 11:00 AM
To: Matias Woloski
Cc: openid-specs-ab
Subject: Re: [Openid-specs-ab] OpenID Connect and Identity Delegation


On Thu, Mar 28, 2013 at 11:55 AM, Matias Woloski <matiasw at gmail.com<mailto:matiasw at gmail.com>> wrote:


  *   What is the difference between having multiple audiences vs using azp?

FWIW, I've long had the same question.  Which is mentioned, among others about azp, in https://bitbucket.org/openid/connect/issue/830/what-is-azp-really

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab


_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130328/68003ef9/attachment.html>