[Openid-specs-ab] 3-party vs 4-party in JWT
Breno de Medeiros
breno at google.com
Tue Dec 21 23:17:32 UTC 2010
+michael.jones at microsoft.com (had the wrong Mike the first time
around, thanks to auto-complete).
On Tue, Dec 21, 2010 at 15:12, Breno de Medeiros <breno at google.com> wrote:
> Mike, I have a question for you about the 'aud' field. This has to do
> with 3-party auth scenarios versus 4-party ones.
> In a 3-party auth scenario, the requester is the same as the audience;
> e.g., a client web app requests a token from a web server to access
> data for a particular user. There's no question here that 'aud' refers
> to the client web app and no further information is needed to evaluate
> this token.
> However, in a 4-party or delegated auth scenario, the requester is,
> say, a mobile app, requesting a token/grant from a web server for a
> particular user at a client web app that the mobile app accesses. The
> web server here is acting as an 'authorization server' for a number of
> 'federated' client web apps and enabling mobile apps to auth against
> these client web apps as well.
> In the 4-party auth or delegated scenario, the audience is the client
> web app (presumably), which is a different party from the party to
> whom the token was issued (here, a mobile app).
> Do you have a formed idea on how JWT tokens should handle the 4-party
> auth case (as both mobile/client apps and web federations are common
> use cases, their combination leading to the need to address 4-party
> use cases is a given).
More information about the Openid-specs-ab