Why use http/https-protocol definition in the API Audience id?

Hi, In all the examples of audience settings I have seen the recommendation of using the format of “http://xxxxx.xx/xx” for the audience id.
Is there any reason why its not shown any examples of using “urn:/xxxxxxx.xx/xx” and why use the protocol in the audience id? The protocol definition in the audience id seems strange to me, but maybe its recommended in the oauth2, oidc somewhere?

Thanx
Daniel

Hi @daniel7,

The spec mentions a few things that make it seem mandatory to add the protocol, but it is not stated explicitly from what I can find. Someone else may have more insight here.

It looks like the audience param should be used directly in the request.

When the client interacts with the resource server it constructs the access token request to the token endpoint by adding the audience parameter using the “application/x-www-form-urlencoded” format with a character encoding of UTF-8 in the HTTP request entity-body.

And the audience claim is often found during a discovery procedure which is likely the URL.

Step (0): As an initial step the client typically determines the resource server it wants to interact with, for example, as part of a discovery procedure.

Again, someone may have more insight here but this is what I could find in the spec.

Here is the audience spec:
https://tools.ietf.org/id/draft-tschofenig-oauth-audience-00.html

Hope this helps!

Thanks,
Dan

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.