See https://bitbucket.org/openid/fapi/issues/398/new-certification-check-aud-in-client - it was discussed on today’s call and we felt that we should probably add a normative clause in FAPI2 that requires the OP to accept the issuer as the aud for client authentication assertions (along with the token endpoint as per OIDC and the url the assertion is being sent to as is also sometimes currently done). This is to aid interoperability.
I agree with Joseph.
Suggested wording:
shall accept its issuer value in the
audclaim received in client authentication assertions
@daniel ?
We had a lot of discussion about this today. I’ve updated the PR as follows:
I think this meets the aims of nudging the ecosystem towards using the issuer value for client assertions, but avoids Authorization Servers from being penalized for allowing other values.
While we are aiming for interoperability in FAPI 2.0 - I personally feel that this achieves a realistic balance.
It would be good to get any feedback on the updated PR as soon as possible.
For those not on the call the discussion ranged about:
I will open another issue for the question of multiple audience values.
The PR has already been merged
