> On Dec 11, 2021, at 3:35 AM, Nikos Fotiou <fot...@aueb.gr> wrote: > > Hi, > > I have a use case where a resource server is protected and can only be > accessed if a JWT is presented. Is there any way for the server to "indicate" > the "expected" format of the JWT. For example, respond to unauthorized > requests with something that would be translated into "I expect tokens form > iss X with claims [A,B,C]"
Normally, the scope of the token is part of the contract between the resource server and client (what sort of authorization is needed for the resource server), but other aspects of the relationship - such as format, or required information, or additional verification steps the user needs to take - are part of the contract between the AS and resource server. The ways to work with indicating that these requirements exist at token issuance include: 1. Scopes - wrap requirements up into scopes, such as having an “admin” scope require additional user authentication, or a “purchasing” scope require the user’s shipping address be embedded as a claim 2. Resources - require the client to use the `resource` parameter to indicate which resource server the token is meant for, and use AS policy to say which RSs get what sort of tokens or have what sort of issuance policy. -DW _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
