There is a somewhat poorly worded open issue in Token Exchange about being able to represent the client in the token.
There is currently no standard claim for the client in JWT while Token Introspection defines a "client_id" parameter. It's maybe not the ideal place for it but Token Exchange could define such a claim for JWT. I'm looking for some feedback from the WG on if/how to proceed with this in Token Exchange. As I see it, there are basically 3 options: 1) Define and register a "client_id" JWT claim (consistent with the name in Token Introspection) to carry the client id of the OAuth 2.0 client that requested the token. 2) Define and register a "cid" JWT claim (consistent with the shorter names typical for JWT) to carry the client id of the OAuth 2.0 client that requested the token. 3) Do not define/register any new JWT claim for the client identifier (in the Token Exchange draft anyway). Feedback/preferences would be appreciated from the WG so as to make some progress on the draft. If pressed, I guess I'd lean towards option #1 myself.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
