Hi Mike, I’m planning to use Token Exchange spec for a use-case described bewlow.
1. a native app obtains an access_token & an id_token from an IdP 2. the native app passes the id_token to its own backend component 3. the backend component obtains an access token from the IdP using the id_token via token exchange In this use-case, the IdP will issue an id_token like below gist. https://gist.github.com/nov/d760b78c5cce8248b308 In the gist, “cnf” and “scopes" claim comes from OpenID Connect ACDC discussed in the NAPPS WG. https://bitbucket.org/openid/napps/src/c22a2adb3f66f7a34fb599285720498782390f7d/draft-acdc-01.txt?at=default&fileviewer=file-view-default And now I realized ACDC defines “scopes” claim and Token Exchange defines “scp”. In my case, the first id_token will includes “scopes” claim, and the access token issued to the client's backend component includes “scp” claim. It’s theoretically OK, but I prefer those two claims have the same name… nov > On Dec 14, 2015, at 17:05, Mike Jones <michael.jo...@microsoft.com> wrote: > > I’m happy to report that a substantially revised OAuth 2.0 Token Exchange > draft has been published that enables a broad range of use cases, while still > remaining as simple as possible. This draft unifies the approaches taken in > the previous working group draft and draft-campbell-oauth-sts, incorporating > working group input from the in-person discussions in Prague and mailing list > discussions. Thanks to all for your interest in and contributions to OAuth > Token Exchange! Brian Campbell deserves special recognition for doing much > of the editing heavy lifting for this draft. > > The core functionality remains token type independent. That said, new claims > are also defined to enable representation of delegation actors in JSON Web > Tokens (JWTs). Equivalent claims could be defined for other token types by > other specifications. > > See the Document History section for a summary of the changes made. Please > check it out! > > The specification is available at: > · http://tools.ietf.org/html/draft-ietf-oauth-token-exchange-03 > <http://tools.ietf.org/html/draft-ietf-oauth-token-exchange-03> > > An HTML-formatted version is also available at: > · http://self-issued.info/docs/draft-ietf-oauth-token-exchange-03.html > <http://self-issued.info/docs/draft-ietf-oauth-token-exchange-03.html> > > -- Mike > > P.S. This note was also posted at http://self-issued.info/?p=1509 > <http://self-issued.info/?p=1509> and as @selfissued > <https://twitter.com/selfissued>. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
