|
147 | 147 | <t hangText="Audience"> |
148 | 148 | <vspace/> |
149 | 149 | A value that identifies the party intended to process the assertion. |
150 | | - The audience MUST contain the issuer identifier <xref target="RFC8414"/> |
151 | | - of the authorization server as its sole value. |
152 | | - Unlike the audience value specified |
153 | | - in <xref target="RFC7521"/>, there MUST be no value other than |
154 | | - the issuer identifier of the intended authorization server |
155 | | - used as the audience of the assertion; |
156 | | - this includes that the token endpoint URL of the authorization server |
157 | | - MUST NOT be used as an audience value. |
| 150 | + The audience value MUST |
| 151 | + identify the authorization server as the intended audience. |
| 152 | + It is the responsibility of the client to use only audience values |
| 153 | + that are specific to the authorization server being used. |
| 154 | + This MAY be the issuer identifier of the authorization server. |
| 155 | + The authorization server MUST reject any assertion that does not |
| 156 | + contain its own identity as the intended audience. |
158 | 157 | </t> |
159 | 158 | </list> |
160 | 159 | </t> |
|
164 | 163 | is replaced by: |
165 | 164 | <list style="empty"> |
166 | 165 | <t> |
167 | | - The assertion MUST contain an audience that identifies the |
168 | | - authorization server as the intended audience, |
169 | | - with the issuer identifier <xref target="RFC8414"/> |
170 | | - of the authorization server as its sole value. |
171 | | - The authorization server MUST reject any assertion that does not |
172 | | - contain its own issuer identifier as the sole audience value. |
| 166 | + The assertion MUST contain an audience value that identifies the |
| 167 | + authorization server as the intended audience. |
| 168 | + It is the responsibility of the client to use only audience values |
| 169 | + that are specific to the authorization server being used. |
| 170 | + The authorization server MUST reject any assertion that does not |
| 171 | + contain its own identity as the intended audience. |
173 | 172 | </t> |
174 | 173 | </list> |
175 | 174 | </t> |
176 | | - <t> |
177 | | - In the list of agreements required by participants |
178 | | - in Section 7 of <xref target="RFC7521"/> (Interoperability Considerations), |
179 | | - "audience identifiers" is removed from the list. |
180 | | - </t> |
181 | 175 | </section> |
182 | 176 |
|
183 | 177 | <section title="Updates to RFC 7522" anchor="RFC7522Updates"> |
|
209 | 203 | with an <AudienceRestriction> element |
210 | 204 | with an <Audience> element that identifies the |
211 | 205 | authorization server as the intended audience. |
212 | | - It is the responsibility of the client to use only |
213 | | - audience values that |
214 | | - are specific to the authorization server being used. |
215 | | - This MAY be |
216 | | - the issuer identifier of the authorization server, |
| 206 | + It is the responsibility of the client to use only audience values |
| 207 | + that are specific to the authorization server being used. |
| 208 | + This MAY be the issuer identifier of the authorization server, |
217 | 209 | the token endpoint URL of the authorization server, or |
218 | 210 | a SAML Entity ID. |
219 | 211 | Section 2.5.1.4 of |
|
332 | 324 | <list style="letters"> |
333 | 325 | <t> |
334 | 326 | For the authorization grant, |
335 | | - it is the responsibility of the client to use only |
336 | | - <spanx style="verb">aud</spanx> values that |
337 | | - are specific to the authorization server being used. |
| 327 | + it is the responsibility of the client to use only audience values |
| 328 | + that are specific to the authorization server being used. |
338 | 329 | This MAY be either |
339 | 330 | the issuer identifier of the authorization server or |
340 | 331 | the token endpoint URL of the authorization server. |
|
0 commit comments