<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">Hi,<br>
<br>
As I was working on some possible text for azp, I realized I have
some questions around aud as well. I figure there has to be some
general consensus about when and how to use them so figured I'd
ask on the list rather than filing a ticket.<br>
<br>
I can see a couple of use cases for these fields in the id_token
and the values they contain seem like they can change depending on
the context.<br>
<br>
1. id_token used only by the client and never presented back to
the AS or related endpoint<br>
aud = client_id of the requesting client<br>
azp = not really needed at all<br>
<br>
2. id_token used by the client but also presented to the AS for
session management or bootstrapping endpoints<br>
aud = ??? (seems like it should be the identifier of the AS)<br>
azp = client_id of the requesting client<br>
<br>
3. id_token requested by a client and then presented by another
client to some endpoint<br>
aud = identifier representing the endpoint that will receive
the id_token<br>
azp = identifier of the client presenting the id_token<br>
<br>
??? = no mention of the actual requesting client (is this
needed?)<br>
<br>
Other use cases?<br>
<br>
For me, I'd prefer to collapse use cases 1 and 2 and require azp
to be the client_id of the requesting client and aud be the
identifier of the AS or resource endpoint.<br>
<br>
Thanks,<br>
George<br>
</font>
<div class="moz-signature">-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me"><img src="cid:part1.00010101.04070106@aol.com"
alt="George Fletcher" height="113" width="359"></a></div>
</body>
</html>