[Openid-specs-risc] "aud" claim value

[Marius Scurtescu]

This was one of the agenda items yesterday, and the conclusion was that the
RISC Profile should allow both single and multiple values, same as JWT. We
could not come up with a good example for multiple values, but it seemed
wise not to restrict/override JWT.

Shortly after the F2F while talking to Roshni and Adam we run into a very
good use case for multiple values.

An OAuth 2 RP might register several different apps with an authorization
server, for example: iOS, Android and Web apps, each with a distinct client
id. A given user, Bob, might have up to 3 grants in this example  (one for
each app). If the RISC configuration for the 3 apps is identical then RISC
events for Bob can either be delivered as 3 separate SETs, each with single
valued "aud", or as a single SET with "aud" as an array with 3 elements
(the 3 client ids). The single SET is not only more efficient, but allows
receivers to de-dup much easier.

So, I think it was very wise to allow "aud" to be expressed as an array,
just like in JWT.

Happy weekend everyone,
Marius
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20180406/c27e1df5/attachment.html>