|
278 | 278 | used as the audience of the JWT; |
279 | 279 | this includes that the token endpoint URL of the authorization server |
280 | 280 | MUST NOT be used as an audience value. |
281 | | - It is RECOMMENDED that the <spanx style="verb">aud</spanx> claim value |
| 281 | + To simplify implementations, |
| 282 | + the <spanx style="verb">aud</spanx> claim value MUST |
282 | 283 | be a JSON string, and not a single-valued JSON array. |
283 | | - The authorization server MUST reject any JWT that does not |
284 | | - contain its issuer identifier as its sole audience value. |
285 | | - In the absence of an application profile specifying |
286 | | - otherwise, compliant applications MUST compare the audience |
287 | | - values using the Simple String Comparison method defined in Section |
288 | | - 6.2.1 of RFC 3986 <xref target="RFC3986"/>. |
| 284 | + The authorization server MUST reject any JWT that does not |
| 285 | + contain its issuer identifier as its sole audience value. |
| 286 | + In the absence of an application profile specifying |
| 287 | + otherwise, compliant applications MUST compare the audience |
| 288 | + values using the Simple String Comparison method defined in Section |
| 289 | + 6.2.1 of RFC 3986 <xref target="RFC3986"/>. |
289 | 290 | </t> |
290 | 291 | <t> |
291 | 292 | The JWT MUST contain an <spanx style="verb">exp</spanx> |
|
458 | 459 | the OAuth 2.0 Dynamic Client Registration Protocol <xref target="RFC7591"/>, |
459 | 460 | OAuth 2.0 Authorization Server Metadata <xref target="RFC8414"/>, |
460 | 461 | OpenID Connect Dynamic Client Registration 1.0 <xref target="OpenID.Registration"/>, |
461 | | - and OpenID Connect Discovery 1.0 <xref target="OpenID.Discovery"/>. |
| 462 | + OpenID Connect Discovery 1.0 <xref target="OpenID.Discovery"/>, |
| 463 | + and OpenID Federation 1.0 <xref target="OpenID.Federation"/>. |
462 | 464 | </t> |
463 | 465 | <t> |
464 | 466 | The <spanx style="verb">RS256</spanx> algorithm, from <xref target="JWA"/>, is a mandatory-to-implement JSON Web |
|
607 | 609 | </front> |
608 | 610 | </reference> |
609 | 611 |
|
| 612 | + <reference anchor="OpenID.Federation" target="https://openid.net/specs/openid-federation-1_0.html"> |
| 613 | + <front> |
| 614 | + <title>OpenID Federation 1.0</title> |
| 615 | + <author fullname="Roland Hedberg"> |
| 616 | + <organization>independent</organization> |
| 617 | + </author> |
| 618 | + <author fullname="Michael B. Jones"> |
| 619 | + <organization>Self-Issued Consulting</organization> |
| 620 | + </author> |
| 621 | + <author fullname="A. Solberg"> |
| 622 | + <organization>Sikt</organization> |
| 623 | + </author> |
| 624 | + <author fullname="John Bradley"> |
| 625 | + <organization>Yubico</organization> |
| 626 | + </author> |
| 627 | + <author fullname="Giuseppe De Marco"> |
| 628 | + <organization>independent</organization> |
| 629 | + </author> |
| 630 | + <author fullname="Vladimir Dzhuvinov"> |
| 631 | + <organization>Connect2id</organization> |
| 632 | + </author> |
| 633 | + <date day="24" month="October" year="2024"/> |
| 634 | + </front> |
| 635 | + </reference> |
| 636 | + |
610 | 637 | <reference anchor="IANA.OAuth.Parameters" target="https://www.iana.org/assignments/oauth-parameters"> |
611 | 638 | <front> |
612 | 639 | <title>OAuth Parameters</title> |
|
0 commit comments