Maybe I'm missing the bigger picture but, if your going back to the same AS like the diagram shows, why not just request the xyz scope in the initial request and cut out the middle steps?
More generally I can say I've thought about these kinds of token exchange cases and they should be possible in theory. In practice I expect getting everything to work and validate correctly with respect to scopes and audience values might be a little tricky. On Mon, Dec 10, 2012 at 7:34 AM, Lewis Adam-CAL022 < adam.le...@motorolasolutions.com> wrote: > Hi, > > I continue to have an interest in the OAuth assertion profiles for my use > cases. I'm wondering if the idea of performing a first OAuth dance which > returns to the client a structured JWT access token (with scope=AS for > example) could then be used as the JWT in an assertion grant type? So > something like this (I show the RO credential flow since it is the simplest > to draw, but same idea for the code flow): > > > Client AS > | | > |---------------->| (authorization request scope=AS, grant_type=RO > password credentials) > | | > |<----------------| (token response with access_token scoped to AS) > | | > |---------------->| (authorization request, scope=xyz, grant_type=JWT > assertion as obtained from previous step) > | | > |<----------------| (token response with access token scoped to xyz) > > > > I suppose there is nothing in theory which should prevent this, but I am > wondering if anybody else has thought of such a usage. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
