You can actually issue a JWT as an access token (since OAuth doesn't
care about the token format), so in this case the JWT would be used to
get access to the widget provider. The JWT would be a pre-signed bearer
token that the provider would know how to check.
-- Justin
On 9/2/2011 6:50 PM, Justin Karneges wrote:
Very nice. The token format is straightforward, and not terribly unlike our
current "proprietary" approach (we use CSV instead of JSON, but at the end of
the day it's a bunch of fields and HMAC). Even if all we did was swap out our
current format for JWT, I think that would be a big win.
So, in the context of OAuth, the website could provide a JWT-formatted
Authorization Grant with the page, and then the client could pass that grant
to the widget provider to obtain an access token. The token could then be
used to access resources at the widget provider.
JWT grant fields:
iss = website
prn = the user logged into the website?
aud = widget provider
Does this seem right?
One other question: can the access token step be bypassed, such that a
resource can be accessed directly with the grant?
Thanks
Justin
On Wednesday, August 31, 2011 03:48:20 PM Brian Campbell wrote:
JWT is definitely not at odds with OAuth. I guess you could say JWT
is potentially complementary in a number of ways (they can be used
together but don't need to be). Though I'm not aware
of any spec work around it, I suspect many will chose to use JWT as a
bearer access token format. JWTs can also be used as an OAuth grant
type [1] which is based on similar functionality for SAML tokens [2].
[1] http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer
[2] http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer
On Wed, Aug 31, 2011 at 3:15 PM, Justin Karneges<jus...@affinix.com> wrote:
On Wednesday, August 31, 2011 02:05:58 PM George Fletcher wrote:
You could also use a signed JWT returned by the resource owner (web
site) to be presented to the resource server (widget provider) that the
resource server can validate (e.g. verify the signature). The JWT can
contain scopes, expiry time, etc as needed. If the widget provider needs
to access services at the resource owner, the JWT can contain an
appropriate access_token for the user.
Interesting, I was not aware of JSON Web Tokens until now. Is there a
relationship to OAuth? Are they at odds or serve different purposes?
Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
