1. OpenID Foundation
  2. connect
Issue #261 resolved

Messages 3.1.1. ID Token audience (Normative)

Casper Biering
created an issue

Spec says "This member identifies the audience that this ID Token is intended for. It is RECOMENDED that aud be the OAuth client_id of the RP."

Since the client must check that the JWT is issued to them using the aud claim, it should be required to use the client_id as aud, unless the audience param from the Authorization Request has been defined.

So I suggest changing it to something like "Identifies the audience that this ID Token is intended for. It MUST be the OAuth client_id of the RP, UNLESS the audience parameter is defined in the Authorization Request."

Comments (3)

  1. Log in to comment