@techreport{tschofenig-oauth-audience-00,
    number =    {draft-tschofenig-oauth-audience-00},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-tschofenig-oauth-audience/00/},
    author =    {Hannes Tschofenig},
    title =     {{OAuth 2.0: Audience Information}},
    pagetotal = 12,
    year =      2013,
    month =     feb,
    day =       18,
    abstract =  {The OAuth 2.0 Bearer Token specification allows any party in possession of a bearer token to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, two important security assumptions must hold: bearer tokens must be protected from disclosure in storage and in transport and the access token must only be valid for use with a specific resource server (the audience) and with a specific scope. This document defines a new header that is used by the client to indicate what resource server, as the intended recipient, it wants to access. This information is subsequently also communicated by the authorization server securely to the resource server, for example within the audience field of the access token.},
}