[OAUTH-WG] the meaning of audience in SAML vs. OAuth

[prateek mishra <prateek.mishra@oracle.com>]

Hannes - you make a good point.

I believe that the usage of "audience" in
http://www.ietf.org/id/draft-ietf-oauth-json-web-token-06.txt

also corresponds to <saml:destination> rather than <saml:audience>.

[quote-jwt06]
The aud (audience) claim identifies the audiences that the JWT is 
intended for. Each principal
intended to process the JWT MUST identify itself with a value in 
audience claim. If the principal
processing the claim does not identify itself with a value in the aud 
claim, then the JWT MUST
be rejected. In the general case, the aud value is an array of case 
sensitive strings, each
containing a StringOrURI value. In the special case when the JWT has one 
audience, the aud
value MAY be a single case sensitive string containing a StringOrURI 
value. The interpretation
of audience values is generally application specific. Use of this claim 
is OPTIONAL.
[\quote]

I think this is a point of quite some confusion (a similar problem arose 
during the SAML assertion drafts discussion
on Tuesday).

To the extent that JWT re-uses concepts and names from SAML, I dont 
think this is the correct name with the
semantics implied by the processing rules given in jwt06.

- prateek





> Hi Prateek,
>
> I never had planned to make the term audience to align with the SAML specification.
> However, in case this could lead to confusion we could also define a different term.
>
> Btw, did you look at the JWT spec whether the audience term there is inline with the SAML spec?
>
> Ciao
> Hannes
>
> On Mar 14, 2013, at 11:34 AM, prateek mishra wrote:
>
>> Hi Hannes,
>>
>> I wanted to point out that use of the term "audience" in this document is not consistent with the SAML 2.0 specification.
>>
>>
>> What you are referring to here as "audience" corresponds to <saml:destination> which is described as
>>
>> [quote-saml2.0]
>> Destination [Optional]
>> A URI reference indicating the address to which this request has been sent. This is useful to prevent
>> malicious forwarding of requests to unintended recipients, a protection that is required by some
>> protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the
>> location at which the message was received. If it does not, the request MUST be discarded. Some
>> protocol bindings may require the use of this attribute (see [SAMLBind]).
>> [\quote]
>>
>> In contrast, <saml:audience>  is a means of limiting the liability of the asserting party and is described
>> in the following manner -
>>
>> [quote-saml2.0]
>>   <Audience>
>> A URI reference that identifies an intended audience. The URI reference MAY identify a document
>> that describes the terms and conditions of audience membership. It MAY also contain the unique
>> identifier URI from a SAML name identifier that describes a system entity (see Section 8.3.6).
>> The audience restriction condition evaluates to Valid if and only if the SAML relying party is a member of
>> one or more of the audiences specified.
>>
>> The SAML asserting party cannot prevent a party to whom the assertion is disclosed from taking action on
>> the basis of the information provided. However, the <AudienceRestriction> element allows the
>> SAML asserting party to state explicitly that no warranty is provided to such a party in a machine- and
>> human-readable form. While there can be no guarantee that a court would uphold such a warranty
>> exclusion in every circumstance, the probability of upholding the warranty exclusion is considerably
>> improved.
>> [\quote]
>>
>> - prateek
>>
>>