[Openid-specs-ab] Issue #1799: Inconsistent example of the "aud" field in request objects (openid/connect)
Fabian Hoffmann
issues-reply at bitbucket.org
Tue Jan 31 14:56:42 UTC 2023
New issue 1799: Inconsistent example of the "aud" field in request objects
https://bitbucket.org/openid/connect/issues/1799/inconsistent-example-of-the-aud-field-in
Fabian Hoffmann:
In chapter: [10.1.1.1. ](https://openid.net/specs/openid-connect-federation-1_0.html#section-10.1.1.1)[Using a Request Object](https://openid.net/specs/openid-connect-federation-1_0.html#name-using-a-request-object) the “aud” field is described as:
```
aud
REQUIRED. The Audience (aud) value MUST be or include the OP's Issuer Identifier URL.
```
In the example below however we can find an URL, that contains the path “authorization” which gives the impression that the OP’s authorization endpoint shall be set instead of the Issuer Identifier URL:
```
{
"aud": "https://op.example.org/authorization",
"client_id": "https://rp.example.com",
"exp": 1589699162,
"iat": 1589699102,
"iss": "https://rp.example.com",
"jti": "4d3ec0f81f134ee9a97e0449be6d32be",
"nonce": "4LX0mFMxdBjkGmtx7a8WIOnB",
"redirect_uri": "https://rp.example.com/authz_cb",
"response_type": "code",
"scope": "openid profile email address phone",
"state": "YmX8PM9I7WbNoMnnieKKBiptVW0sP2OZ",
"trust_chain" : [
"eyJhbGciOiJSUzI1NiIsImtpZCI6Ims1NEhRdERpYnlHY3M5WldWTWZ2aUhm ...",
"eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ...",
"eyJhbGciOiJSUzI1NiIsImtpZCI6IkJYdmZybG5oQU11SFIwN2FqVW1BY0JS ..."
]
}
```
My suggestion would be to rename the example URL e.g. to "[https://op.example.org/issuer"](https://op.example.org/authorization",)
More information about the Openid-specs-ab
mailing list