[Openid-specs-ab] [openid/connect] what is azp really? (issue #830)

Nat Sakimura sakimura at gmail.com
Thu Mar 28 16:13:17 UTC 2013


Just replied to the ticket.

Related issues are #712 and #636.

Just found that #712 had change request from Breno after Mike has closed
the issue, so I reopened it now.

Nat

2013/3/29 Mike Jones <Michael.Jones at microsoft.com>

> Suggested text clarifications to address this issue are highly encouraged.
>  The current definition is as follows:
>
> azp
>
> OPTIONAL. Authorized Presenter. This member identifies an OAuth 2.0 Client
> authorized to use this ID Token as an OAuth Access Token. It MUST contain
> the client_id of the Authorized Presenter. This Claim is only needed when
> the party requesting the ID Token is not the same as the audience of the ID
> Token. It MAY be included even when the Authorized Presenter is the same as
> the audience.
>
>                                 -- Mike
>
> -----Original Message-----
> From: Brian Campbell [mailto:issues-reply at bitbucket.org]
> Sent: Thursday, March 28, 2013 8:30 AM
> To: Mike Jones
> Subject: [openid/connect] what is azp really? (issue #830)
>
> --- you can reply above this line ---
>
> New issue 830: what is azp really?
> https://bitbucket.org/openid/connect/issue/830/what-is-azp-really
>
> Brian Campbell:
>
> Even though I'm *somewhat* familiar with how "azp" got in the spec, from
> kind of knowing about Google's use case of "cid", and sort of know what
> it's supposed to do, I find the current text in the spec to be pretty
> confusing.
>
> For example, there's text now for azp that says it "identifies an OAuth
> 2.0 Client authorized to use this ID Token as an OAuth Access Token." But I
> don't know what that actually means. There's no way to identify who the
> client is using an OAuth bearer token. So what does it mean to be
> authorized? How does one check or enforce that?
>
> I believe that more clarification about what azp really is and what the OP
> and client are supposed to do with it would be good. As well as other
> systems and actors.
>
> Folks (George/Nat) on the call (March 28) suggested that it's more aptly
> described as an "issued to" or "registered to" respectively.
>
> And I still think different people have somewhat different ideas about
> what this thing is.
>
> This issue is admittedly somewhat ticky-tacky but I was asked on the March
> 28 call to go ahead and file something on it for posterity. So that's what
> I'm doing.
>
>
> --
>
> This is an issue notification from bitbucket.org. You are receiving this
> either because you are the owner of the issue, or you are following the
> issue.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130329/7ec41ee3/attachment-0001.html>


More information about the Openid-specs-ab mailing list