JWT is definitely not at odds with OAuth. I guess you could say JWT is potentially complementary in a number of ways (they can be used together but don't need to be). Though I'm not aware of any spec work around it, I suspect many will chose to use JWT as a bearer access token format. JWTs can also be used as an OAuth grant type [1] which is based on similar functionality for SAML tokens [2].
[1] http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer [2] http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer On Wed, Aug 31, 2011 at 3:15 PM, Justin Karneges <jus...@affinix.com> wrote: > On Wednesday, August 31, 2011 02:05:58 PM George Fletcher wrote: >> You could also use a signed JWT returned by the resource owner (web >> site) to be presented to the resource server (widget provider) that the >> resource server can validate (e.g. verify the signature). The JWT can >> contain scopes, expiry time, etc as needed. If the widget provider needs >> to access services at the resource owner, the JWT can contain an >> appropriate access_token for the user. > > Interesting, I was not aware of JSON Web Tokens until now. Is there a > relationship to OAuth? Are they at odds or serve different purposes? > > Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
