[Openid-specs-ab] OAuth JAR's final improvements
sakimura at gmail.com
Fri Apr 12 02:53:28 UTC 2019
As noted in the last meeting note, we had a discussion on OAuth JAR
draft at the OAuth Security Workshop 2019. The draft has gone through
the telechat but needs one fix pointed out by Ekr.
a) to add an explanatory text to what `aud` shall be.
In OIDC Core 1.0, `aud` here is defined as
The aud value SHOULD be or include the OP's Issuer Identifier URL.
In -17 of the OAuth JAR draft, it is saying:
the Authorization Request
Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience)
as members, with their semantics being the same as defined in the JWT
Apparently, it is less specific than OIDC.
We discussed this a bit in the OAuth Security Workshop 2019 and what
the room concluded was that it should be a value in the OAuth Server
There are two candidates for this.
The discussion there concluded that since the request really should be
going to the authorization_endpoint and not the token endpoint, the
value of `aud` should be the value of `authorization_endpoint` as in
Then, there were a bunch of other features that people wanted were discussed.
b) Additional AS metadata, e.g,
c) Client registration parameter to indicate always sign, and always encrypt.
d) Take 7.5 from FAPI Part 2.
It was agreed that pushing b), c) and d) above would mean pushing the
draft back to WG and as FAPI wants to have the spec published ASAP, it
was agreed just to do a) for this document and leave b) - d) in
another spec or bi OAuth JAR bis.
Nat Sakimura (=nat)
Chairman, OpenID Foundation
More information about the Openid-specs-ab