Clarify requirements for "aud" claim

Question

Clarify requirements for "aud" claim

Closed this issue a year ago · 0 comments

Feedback from Brian Campbell

This requirement for the audience [https://www.ietf.org/archive/id/draft-identity-chaining-00.html#section-2.5.2-2.1] is already a requirement of [https://www.rfc-editor.org/rfc/rfc7521#section-5.2] (3rd bullet) and also [https://www.rfc-editor.org/rfc/rfc7523#section-3] (also 3rd bullet). But the way it's listed here makes it sound like an additional thing. It might be worthwhile to use the bullet here to be more specific about the aud value (it's been a bit of an interop pain point w/ JWT client auth fwiw) and say that it has to be the token endpoint or AS issuer identifier.