We came across what looks like an oddity whilst implementing tests; I’m not sure if I’ve missed a specification or if there is something that could benefit from clarification:
I can’t entirely figure out what the ‘aud’ value in a client assertion to the backchannel authentication endpoint should be.
The client assertion spec, https://tools.ietf.org/html/rfc7521#section-5.1, says:
Audience A value that identifies the party or parties intended to process the assertion. The URL of the token endpoint, as defined in Section 3.2 of OAuth 2.0 [RFC6749], can be used to indicate that the authorization server is a valid intended audience of the assertion
https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication doesn’t seem to add any clarity.
By contrast, the CIBA request object is quite clear: “The Audience claim MUST contain the value of the Issuer Identifier for the OP, which identifies the Authorization Server as an intended audience.”
The three possibilities for the audience for client assertion seem to be:
- the token endpoint (as RFC7521 says)
- the backchannel authentication endpoint (because that’s where the assertion is being sent)
- the issuer (to match the CIBA request object)
The server I’m trying against (Authlete) seems to have interpreted it as ‘2’.