[Openid-specs-ab] Issue #1059: Core makes "aud" in request object optional unexpectedly (openid/connect)
issues-reply at bitbucket.org
Fri Dec 28 06:57:09 UTC 2018
New issue 1059: Core makes "aud" in request object optional unexpectedly
> If signed, the Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members. The iss value SHOULD be the Client ID of the RP, unless it was signed by a different party than the RP. The aud value SHOULD be or include the OP's Issuer Identifier URL.
I am struggling to understand the logic as to why "aud" is optional?
On a related note, the second part ("The aud value SHOULD be or include the OP's Issuer Identifier URL.") is worded in a way that it appears to conflict with the JWT RFC; if I understand the intent correctly then "If present, the aud value MUST be or include the OP's Issuer Identifier URL" might be clearer.
(This was a previously discussed in the FAPI WG, https://bitbucket.org/openid/fapi/issues/190/aud-should-be-mandatory-in-requests - the FAPI WG currently intends to make aud a MUST)
More information about the Openid-specs-ab