On zondag 5 mei 2019 15:54:48 CEST you wrote: > On Fri, May 3, 2019 at 9:39 AM Emond Papegaaij <emond.papega...@gmail.com> > > To summarize, I have to following questions: > > - Is the 'OAuth 2.0 Token Exchange' specification still active? > > Yes with the caveats mentioned above. I will say that although there's a > lot of work required for the document, none of it is likely to result in > functional changes so I don't anticipate anything breaking at this point.
Good to hear, because IMHO it really adds value to OAuth 2.0. > > - Can 'audience' be added to 'Resource Indicators for OAuth 2.0'? > > No, that's beyond it's current scope. And it is well past last call in the > WG. But note that a logical identifier can be used as the value of the > resource parameter. Would you recommend to put the AWS entity id in the resource parameter on the authorize request then? I need a way to inform the authorization server that the client wants a token for a different service to allow the authorization server to prompt the user for correct consent. I like the 'audience' parameter defined by the token exchange specification, because it really fits the purpose I'm looking for. However, I also like to keep the authorization request and token request similar. It looks wrong to ask for authorization for 'resource' X and later on request a token for 'audience' X. Best regards, Emond Papegaaij _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth