-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The client cannot tells whether audience restriction has been applied #55
Comments
I agree that the token response should include |
I agree with Aaron's assessment that this is out of scope for this specification. I'm prone to close this issue on that basis. |
The current draft contains the wording:
However there is currently no way for the OAuth client to know (in the general case i.e. loose coupling between the different actors) that the audience restriction has been properly supported and applied by authorization server. For example, the authorization server might silently ignore the
resource
parameter of the authorization request.Ideally, the authorization server should probably include the
resource
back in the authorization response similar to how this is done for thescope
parameter (and in a sense for theauthorization_details
parameter). Such an option should probably have been included in RFC8707, however.Alternatively (or in addition) some authorization server metadata could be used to indicate that it supports resource indication.
The text was updated successfully, but these errors were encountered: