Re: [OAUTH-WG] JWT grant_type and client_id

Thu, 14 Mar 2013 17:47:32 -0700 

Hmmm, one more thought ... no scope??  The JWT is the grant, is it assumed that 
the scope is conveyed as a claim within the token?  Otherwise it would seem 
that it would require a scope.

Thoughts?
adam

From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Thursday, March 14, 2013 4:44 PM
To: Lewis Adam-CAL022
Cc: Mike Jones; "WG <oauth@ietf.org>"@il06exr02.mot.com
Subject: Re: [OAUTH-WG] JWT grant_type and client_id

Yes, that is correct.
I'm working on new revisions of the drafts that will hopefully make that point 
more clear.

On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 
<adam.le...@motorolasolutions.com<mailto:adam.le...@motorolasolutions.com>> 
wrote:

Coming back to this ... am I correct in that client_id is not required?  We are 
implementing this spec and want to make sure that we are doing it right.  By my 
understanding the only two parameters that are required in the JWT grant type 
are  "urn:ietf:params:oauth:grant-type:jwt-bearer"  and the assertion.   Is 
this correct?


From: Mike Jones 
[mailto:michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>]
Sent: Monday, February 18, 2013 6:58 PM
To: Lewis Adam-CAL022; oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: RE: JWT grant_type and client_id

The client_id value and the access token value are independent.

                                                                -- Mike

From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org> 
[mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>] On Behalf Of 
Lewis Adam-CAL022
Sent: Monday, February 18, 2013 2:50 PM
To: oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: [OAUTH-WG] JWT grant_type and client_id


Is there any guidance on the usage of client_id when using the JWT assertion 
profile as a grant type?  draft-ietf-oauth-jwt-bearer-04 makes no mention so I 
assume that it is not required ... but it would be necessary if using in 
conjunction with a HOK profile where the JWT assertion is issued to - and may 
only be used by - the intended client.  Obviously this is straight forward 
enough, really I'm just looking to be sure that I'm not missing anything.

tx
adam

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to