[Openid-specs-ab] [openid/connect] what is azp really? (issue #830)
issues-reply at bitbucket.org
Thu Mar 28 15:30:04 UTC 2013
New issue 830: what is azp really?
Even though I'm *somewhat* familiar with how "azp" got in the spec, from kind of knowing about Google's use case of "cid", and sort of know what it's supposed to do, I find the current text in the spec to be pretty confusing.
For example, there's text now for azp that says it "identifies an OAuth 2.0 Client authorized to use this ID Token as an OAuth Access Token." But I don't know what that actually means. There's no way to identify who the client is using an OAuth bearer token. So what does it mean to be authorized? How does one check or enforce that?
I believe that more clarification about what azp really is and what the OP and client are supposed to do with it would be good. As well as other systems and actors.
Folks (George/Nat) on the call (March 28) suggested that it's more aptly described as an "issued to" or "registered to" respectively.
And I still think different people have somewhat different ideas about what this thing is.
This issue is admittedly somewhat ticky-tacky but I was asked on the March 28 call to go ahead and file something on it for posterity. So that's what I'm doing.
This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.
More information about the Openid-specs-ab