Hi, I'm considering using JWT tokens as access tokens in a scenario where the AS is rather decoupled from the RS. Namely, the same AS with manage the authorization for multiple RSs. Using JWT for short-lived non-revocable access tokens means that the RS is able to obtain all the authorization grant information without contacting the AS or using a shared store.
My plan is to encode in the JWT token all the relevant authorization grant information, namely: 1) The authorizing user (RO) claims 2) The authorized client information - at least its client_id, but there can be more client info available 3) The authorized scopes Are there any guidelines on how to represent this information as claims of a JWT token? Namely, how can we group this info such that there are no collisions between user claims and client claims? Thanks Pedro
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
