Hi Folks, I have worked with JWT bearer grant a while back and a question always nagged me. I think this is the right list to ask since I came across many blogs giving examples of OpenID connect token used as a JWT bearer grant.
Is it semantically correct to use the OpenId connect id_token as a JWT bearer grant? According to the OAuth JWT Bearer grant spec <https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12#section-3.1>, a valid JWT should have some sort of identifier (token endpoint may be used) of the token issuing authorization server within the audience claim. The JWT MUST contain an "aud" (audience) claim containing a value that identifies the authorization server as an intended audience. The token endpoint URL of the authorization server MAY be used as a value for an "aud" element to identify the authorization server as an intended audience of the JWT. The Authorization Server MUST reject any JWT that does not contain its own identity as the intended audience In the absence of an application profile specifying otherwise, compliant applications MUST compare the audience values using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986 [RFC3986]. As noted in Section 5, the precise strings to be used as the audience for a given Authorization Server must be configured out-of-band by the Authorization Server and the Issuer of the JWT. So if we use the OpenID Connect id token as a JWT bearer grant we need to have a mechanism or a standard way to request a token with to be given to a specific OAuth token issuer. Is this possible with OpenID connect token? Thanks, Farasath Ahamed Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619>
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
