[Openid-specs-native-apps] Resource
John Bradley
ve7jtb at ve7jtb.com
Tue Apr 29 13:55:06 UTC 2014
In the draft for distributing Proof of Possession tokens in OAuth the authors propose adding a new parameter "aud" to the token endpoint request.
http://tools.ietf.org/html/draft-bradley-oauth-pop-key-distributionhttp://tools.ietf.org/html/draft-bradley-oauth-pop-key-distribution-00#section-3
Knowing the audience for the generates access token is important if you are encrypting key material to that endpoint.
Most people have to this point been overloading scopes to indicate the "aud" for the access token. Given that scopes are not guaranteed to be globally unique,
I am inclined to re use "aud" as a way to explicitly indicate who a JWT assertion is being requested for.
John B.
More information about the Openid-specs-native-apps
mailing list