Hi,
There are multiple places in draft-ietf-oauth-token-exchange-04 where a
differentiation seems to be drawn between 'access_token' and 'jwt' ... for
example in section 2.2.1. when discussing the issued_token_type, it states:
a value of "urn:ietf:params:oauth:token-type:access_token" indicates
that the issued token is an access token and a value of
"urn:ietf:params:oauth:token-type:jwt" indicates that it is a JWT.
This is confusing to me because an access token represents a delegated
authorization decision, whereas JWT is a token *format*. An access
token could easily be a JWT (and in many deployments, they are).
So why the desire to differentiate, and what does the differentiation mean?
tx!
adam
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
