[Openid-specs-ab] 3-party vs 4-party in JWT

Breno de Medeiros breno at google.com
Tue Dec 21 23:12:32 UTC 2010

Mike, I have a question for you about the 'aud' field.  This has to do
with 3-party auth scenarios versus 4-party ones.

In a 3-party auth scenario, the requester is the same as the audience;
e.g., a client web app requests a token from a web server to access
data for a particular user. There's no question here that 'aud' refers
to the client web app and no further information is needed to evaluate
this token.

However, in a 4-party or delegated auth scenario, the requester is,
say, a mobile app, requesting a token/grant from a web server for a
particular user at a client web app that the mobile app accesses. The
web server here is acting as an 'authorization server' for a number of
'federated' client web apps and enabling mobile apps to auth against
these client web apps as well.

In the 4-party auth or delegated scenario, the audience is the client
web app (presumably), which is a different party from the party to
whom the token was issued (here, a mobile app).

Do you have a formed idea on how JWT tokens should handle the 4-party
auth case (as both mobile/client apps and web federations are common
use cases, their combination leading to the need to address 4-party
use cases is a given).


More information about the Openid-specs-ab mailing list