The spec is a touch vague on that. I think the scopes should be in the assertion and the client can use the scopes outside the assertion to down-scope.
Having a standard claim in JWT and SAML for passing scopes is probably useful as part of a profile. John B. On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 <adam.le...@motorolasolutions.com> wrote: > Hmmm, one more thought … no scope?? The JWT is the grant, is it assumed that > the scope is conveyed as a claim within the token? Otherwise it would seem > that it would require a scope. > > Thoughts? > adam > > From: Brian Campbell [mailto:bcampb...@pingidentity.com] > Sent: Thursday, March 14, 2013 4:44 PM > To: Lewis Adam-CAL022 > Cc: Mike Jones; "WG <oauth@ietf.org>"@il06exr02.mot.com > Subject: Re: [OAUTH-WG] JWT grant_type and client_id > > Yes, that is correct. > > I'm working on new revisions of the drafts that will hopefully make that > point more clear. > > > On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 > <adam.le...@motorolasolutions.com> wrote: > Coming back to this … am I correct in that client_id is not required? We are > implementing this spec and want to make sure that we are doing it right. By > my understanding the only two parameters that are required in the JWT grant > type are "urn:ietf:params:oauth:grant-type:jwt-bearer" and the assertion. > Is this correct? > > > From: Mike Jones [mailto:michael.jo...@microsoft.com] > Sent: Monday, February 18, 2013 6:58 PM > To: Lewis Adam-CAL022; oauth@ietf.org WG > Subject: RE: JWT grant_type and client_id > > The client_id value and the access token value are independent. > > -- Mike > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Lewis Adam-CAL022 > Sent: Monday, February 18, 2013 2:50 PM > To: oauth@ietf.org WG > Subject: [OAUTH-WG] JWT grant_type and client_id > > > Is there any guidance on the usage of client_id when using the JWT assertion > profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so > I assume that it is not required … but it would be necessary if using in > conjunction with a HOK profile where the JWT assertion is issued to – and may > only be used by – the intended client. Obviously this is straight forward > enough, really I’m just looking to be sure that I’m not missing anything. > > tx > adam > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
