Are you advocating TWO systems? That seems like a bad choice. I would rather fix scope than go to a two system approach.
Phil Sent from my phone. On 2013-02-28, at 8:17, John Bradley <ve7...@ve7jtb.com> wrote: > While scope is one method that a AS could communicate authorization to a RS, > it is not the only or perhaps even the most likely one. > Using scope requires a relatively tight binding between the RS and AS, UMA > uses a different mechanism that describes finer grained operations. > The AS may include roles, user, or other more abstract claims that the the > client may (god help them) pass on to EXCML for processing. > > While having a scopes claim is possible, like any other claim it is not part > of the JWT core security processing claims, and needs to be defined by > extension. > > John B. > On 2013-02-28, at 2:29 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> > wrote: > >> Hi Mike, >> >> when I worked on the MAC specification I noticed that the JWT does not have >> a claim for the scope. I believe that this would be needed to allow the >> resource server to verify whether the scope the authorization server >> authorized is indeed what the client is asking for. >> >> Ciao >> Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
