-
assigned issue to
John Bradley
- changed status to open
Messages 3.1.1. ID Token audience (Normative)
Issue #261
resolved
Spec says "This member identifies the audience that this ID Token is intended for. It is RECOMENDED that aud be the OAuth client_id of the RP."
Since the client must check that the JWT is issued to them using the aud claim, it should be required to use the client_id as aud, unless the audience param from the Authorization Request has been defined.
So I suggest changing it to something like "Identifies the audience that this ID Token is intended for. It MUST be the OAuth client_id of the RP, UNLESS the audience parameter is defined in the Authorization Request."
Comments (3)
-
-
- changed status to resolved
fixes
#261Messages 3.1.1. ID Token audience (Normative) -
-
assigned issue to
Edmund Jay
-
assigned issue to
- Log in to comment
make client_id REQUIRED