Very nice. The token format is straightforward, and not terribly unlike our current "proprietary" approach (we use CSV instead of JSON, but at the end of the day it's a bunch of fields and HMAC). Even if all we did was swap out our current format for JWT, I think that would be a big win.
So, in the context of OAuth, the website could provide a JWT-formatted Authorization Grant with the page, and then the client could pass that grant to the widget provider to obtain an access token. The token could then be used to access resources at the widget provider. JWT grant fields: iss = website prn = the user logged into the website? aud = widget provider Does this seem right? One other question: can the access token step be bypassed, such that a resource can be accessed directly with the grant? Thanks Justin On Wednesday, August 31, 2011 03:48:20 PM Brian Campbell wrote: > JWT is definitely not at odds with OAuth. I guess you could say JWT > is potentially complementary in a number of ways (they can be used > together but don't need to be). Though I'm not aware > of any spec work around it, I suspect many will chose to use JWT as a > bearer access token format. JWTs can also be used as an OAuth grant > type [1] which is based on similar functionality for SAML tokens [2]. > > [1] http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer > [2] http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer > > On Wed, Aug 31, 2011 at 3:15 PM, Justin Karneges <jus...@affinix.com> wrote: > > On Wednesday, August 31, 2011 02:05:58 PM George Fletcher wrote: > >> You could also use a signed JWT returned by the resource owner (web > >> site) to be presented to the resource server (widget provider) that the > >> resource server can validate (e.g. verify the signature). The JWT can > >> contain scopes, expiry time, etc as needed. If the widget provider needs > >> to access services at the resource owner, the JWT can contain an > >> appropriate access_token for the user. > > > > Interesting, I was not aware of JSON Web Tokens until now. Is there a > > relationship to OAuth? Are they at odds or serve different purposes? > > > > Justin > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
