Terminology: "relying party" vs. "client"

[SECtim]

In some places, the term "relying party" is used instead of "client":

oauth-v2-1/draft-ietf-oauth-v2-1.md

Lines 2820 to 2822 in f79f588

	This discloses the sensitive credentials to the client. If the
	relying party is malicious, it can use the credentials to impersonate
	the user at the AS.

oauth-v2-1/draft-ietf-oauth-v2-1.md

Lines 2578 to 2582 in f79f588

	#### Issue scoped bearer tokens
	Authorization servers SHOULD issue bearer tokens
	that contain an audience restriction, scoping their use to the
	intended relying party or set of relying parties.

[aaronpk]

@dickhardt this sentence is from RFC6750, but the terminology seems to conflict with modern uses of "audience restricted access tokens". Do you remember what this was intended to mean?

Issue scoped bearer tokens: Token servers SHOULD issue bearer tokens
that contain an audience restriction, scoping their use to the
intended relying party or set of relying parties.

[dickhardt]

In practice this is the 'aud' claim in a JWT -- but since 6750 does not specify a token format, this is guidance that the token should indicate who the audience is

The phrase "issue scoped bearer tokens" is confusing as it is conflating scopes with audience

Can you point me to what you mean by 'modern uses of "audience restricted access tokens"'

[dickhardt]

Also, In the case of 6750 as this is an access token, replying party is referring to the resource server, not the client.