[Openid-specs-ab] Issue #1059: Core makes "aud" in request object optional unexpectedly (openid/connect)

Joseph Heenan issues-reply at bitbucket.org
Fri Dec 28 06:57:09 UTC 2018


New issue 1059: Core makes "aud" in request object optional unexpectedly
https://bitbucket.org/openid/connect/issues/1059/core-makes-aud-in-request-object-optional

Joseph Heenan:

https://openid.net/specs/openid-connect-core-1_0.html#RequestObject says:

>  If signed, the Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members. The iss value SHOULD be the Client ID of the RP, unless it was signed by a different party than the RP. The aud value SHOULD be or include the OP's Issuer Identifier URL.

I am struggling to understand the logic as to why "aud" is optional?


On a related note, the second part ("The aud value SHOULD be or include the OP's Issuer Identifier URL.") is worded in a way that it appears to conflict with the JWT RFC; if I understand the intent correctly then "If present, the aud value MUST be or include the OP's Issuer Identifier URL" might be clearer.


(This was a previously discussed in the FAPI WG, https://bitbucket.org/openid/fapi/issues/190/aud-should-be-mandatory-in-requests - the FAPI WG currently intends to make aud a MUST)




More information about the Openid-specs-ab mailing list