While scope is one method that a AS could communicate authorization to a RS, it is not the only or perhaps even the most likely one. Using scope requires a relatively tight binding between the RS and AS, UMA uses a different mechanism that describes finer grained operations. The AS may include roles, user, or other more abstract claims that the the client may (god help them) pass on to EXCML for processing.
While having a scopes claim is possible, like any other claim it is not part of the JWT core security processing claims, and needs to be defined by extension. John B. On 2013-02-28, at 2:29 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> wrote: > Hi Mike, > > when I worked on the MAC specification I noticed that the JWT does not have a > claim for the scope. I believe that this would be needed to allow the > resource server to verify whether the scope the authorization server > authorized is indeed what the client is asking for. > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth