diff --git a/lws10-core/Authentication.html b/lws10-core/Authentication.html
index 5a2076d..e317c86 100644
--- a/lws10-core/Authentication.html
+++ b/lws10-core/Authentication.html
@@ -18,9 +18,9 @@ End-User Credential Data Model
- - subject REQUIRED — an identifier for an end user. This MUST be an absolute URI.
- - issuer REQUIRED — an identifier for the entity that issued the end-user credential. This MUST be an absolute URI.
- - client REQUIRED — an identifier for a client application. This SHOULD be an absolute URI.
+ - subject REQUIRED — an identifier for an end user. This MUST be a URI.
+ - issuer REQUIRED — an identifier for the entity that issued the end-user credential. This MUST be a URI.
+ - client REQUIRED — an identifier for a client application. This SHOULD be a URI.
- audience restriction RECOMMENDED — a list of values that SHOULD include an authorization server identifier.
diff --git a/lws10-core/Authorization.html b/lws10-core/Authorization.html
index 03ea254..3b7504d 100644
--- a/lws10-core/Authorization.html
+++ b/lws10-core/Authorization.html
@@ -46,11 +46,11 @@ Authorization Server Discovery
-
-
as_uri REQUIRED — The value of this parameter is an absolute URI identifying the authorization server
+ as_uri REQUIRED — The value of this parameter is a URI identifying the authorization server
where a client can retrieve an access token. The value of this parameter will be the same as the iss claim of a valid access token.
-
-
realm REQUIRED — The value of this parameter is an absolute URI indicating the scope of protection.
+ realm REQUIRED — The value of this parameter is a URI indicating the scope of protection.
This value will be included in the audience (aud) claim of an access token. A client MUST verify that
the URI of the originating request is logically contained within the realm presented in this response.
@@ -136,7 +136,7 @@ Request
- - The
resource parameter is REQUIRED. The value of this parameter MUST be an absolute URI and will be used to populate the
+ - The
resource parameter is REQUIRED. The value of this parameter MUST be a URI and will be used to populate the
aud (audience) claim in the resulting access token. The supplied value will be the same as the
realm parameter response in a WWW-Authenticate challenge. The authorization server
MUST reject any request in which the resource parameter identifies an unknown or untrusted storage.
@@ -183,16 +183,16 @@ Response
-
-
sub (subject) — REQUIRED. This claim MUST be an absolute URI identifying the agent performing the operation
+ sub (subject) — REQUIRED. This claim MUST be a URI identifying the agent performing the operation
-
-
iss (issuer) — REQUIRED. This claim MUST be the absolute URI of the authorization server
+ iss (issuer) — REQUIRED. This claim MUST be the URI of the authorization server
-
-
client_id (client id) — REQUIRED. This claim MUST be an absolute URI identifying the client.
+ client_id (client id) — REQUIRED. This claim MUST be a URI identifying the client.
-
-
aud (audience) — REQUIRED. This claim MUST include the absolute URI supplied by the client
+ aud (audience) — REQUIRED. This claim MUST include the URI supplied by the client
in the resource parameter. This value will be used to restrict the entities for which the access token is valid. This will
be the same value as provided by a storage server in the realm parameter of a WWW-Authenticate challenge.
@@ -306,7 +306,7 @@ Validation
Issuer Validation: Verify the iss claim matches the expected authorization server identifier.
-
- Audience Validation: Verify the
aud claim contains exactly one value and this value is an absolute URI identifying the storage server which logically contains the target resource.
+ Audience Validation: Verify the aud claim contains exactly one value and this value is a URI identifying the storage server which logically contains the target resource.
-
Temporal Validation, subject to an allowable clock skew between systems.