Skip to:
Currently we require audience to be set to the client-id. Instead it should be optional, may take arbitrary value or multiple values.
Code should be revised for authorization (i.e. how to authorize the audience) - trust model is not clear here.
Also code should be revised with respect to the final RFC (was implemented basing on some rather early RFC draft).
HighHighHigh
Currently we require audience to be set to the client-id. Instead it should be optional, may take arbitrary value or multiple values.
Code should be revised for authorization (i.e. how to authorize the audience) - trust model is not clear here.
Also code should be revised with respect to the final RFC (was implemented basing on some rather early RFC draft).