FAPI2SP: Note about client assertion audience looks misleading

FAPI2SP says:

NOTE: In order to facilitate interoperability the authorization server should also accept its token endpoint URL or the URL of the endpoint at which the assertion was received in the aud claim received in client authentication assertions.

but PAR https://datatracker.ietf.org/doc/html/rfc9126#section-2 says:

‌

Due to historical reasons, there is potential ambiguity regarding the appropriate audience value to use when employing JWT client assertion-based authentication (defined in Section 2.2 of [RFC7523]with private_key_jwt or client_secret_jwt authentication method names per Section 9 of [OIDC]). To address that ambiguity, the issuer identifier URL of the authorization server according to [RFC8414]SHOULD be used as the value of the audience. In order to facilitate interoperability, the authorization server MUST accept its issuer identifier, token endpoint URL, or pushed authorization request endpoint URL as values that identify it as an intended audience.¶

‌

The ‘should’ in the FAPI note conflicts with the ‘must’ in the PAR spec.

Not sure how to unpick all that as the FAPI text applies to all endpoints (e.g. token endpoint too), whereas the PAR text only applies to the PAR endpoint.

Also the ‘note’ seems like it’s normative language so I’m not sure it’s appropriate to have it in a note.

Comments (4)