Merge pull request #467 from DuendeSoftware/josephdecock-patch-1

Expand EmitStaticAudienceClaim description

IdentityServer/v7/docs/content/reference/options.md

@@ -44,7 +44,7 @@ Top-level settings. Available directly on the *IdentityServerOptions* object.
 
 * ***EmitStaticAudienceClaim***
 
-    Emits a static *aud* claim in all access tokens with the format *issuer/resources*. Defaults to *false*.
+    Emits a static *aud* (audience) claim in all access tokens with the format *{issuer}/resources*. For example, if IdentityServer was running at *https:\//identity.example.com*, the static *aud* claim's value would be *https:\//identity.example.com/resources*. Historically, older versions of IdentityServer produced tokens with a static audience claim in this format. This flag is intended for use when you need to produce backwards-compatible access tokens. Also note that multiple audience claims are possible. If you enable this flag and also configure *ApiResource*s you can have both the static audience and audiences from the API resources. Defaults to *false*.
 
 * ***EmitIssuerIdentificationResponseParameter***
 
@@ -710,4 +710,4 @@ Pushed Authorization Requests (PAR) settings. Available on the *PushedAuthorizat
 
 * ***Lifetime***
 
-    Controls the lifetime of pushed authorization requests. The pushed authorization request's lifetime begins when the request to the PAR endpoint is received, and is validated until the authorize endpoint returns a response to the client application. Note that user interaction, such as entering credentials or granting consent, may need to occur before the authorize endpoint can do so. Setting the lifetime too low will likely cause login failures for interactive users, if pushed authorization requests expire before those users complete authentication. Some security profiles, such as the FAPI 2.0 Security Profile recommend an expiration within 10 minutes to prevent attackers from pre-generating requests. To balance these constraints, this lifetime defaults to 10 minutes. 
+    Controls the lifetime of pushed authorization requests. The pushed authorization request's lifetime begins when the request to the PAR endpoint is received, and is validated until the authorize endpoint returns a response to the client application. Note that user interaction, such as entering credentials or granting consent, may need to occur before the authorize endpoint can do so. Setting the lifetime too low will likely cause login failures for interactive users, if pushed authorization requests expire before those users complete authentication. Some security profiles, such as the FAPI 2.0 Security Profile recommend an expiration within 10 minutes to prevent attackers from pre-generating requests. To balance these constraints, this lifetime defaults to 10 minutes.