Hi Vittorio et al,
some considerations on oauth access token jwt follows.
You can see them here too
https://docs.google.com/document/d/1XsvBzGvhcY0N6vJNgLx6G1dJ5trvgwYRJA9F_NCakbU/edit
An example with client_credential grant type would be nice too.
My 2¢,
R.
§ 1.2 Terminology
+ The terms "Collision-Resistant", is used according to Section 2 of
{{JWT}}.
§2.1 Header
- mentioning "none" alg can be redundant. I'd reference all the JWT BCP
instead.
- I'd add an example header, eg
~~~ example
{
"typ": "at+jwt",
"alg": "PS256"
}
~~~
§ 2.2.1 Authentication Information Claims
Is it worth mentioning the "implicit flow"?
§2.2.2 Identity Claims
- use the "Collision-Resistant" definition in {{JWT}}
§2.2.3 Authorization Claims
- " ... scope parameter..." should `scope` be quoted?
- "All the individual scope strings in the "scope" claim MUST have meaning
for the resources indicated in the "aud" claim."
^ otherwise the error returned is ...? Should we reference §4 here?
§2.2.3.1 Claims for Authorization Outside of Delegation Scenarios
- which are the delegated scenarios described in RFC7519? Do you refer to
"When using an administratively delegated
namespace" ? It is not clear to a first-reader.
§3 Requesting a JWT Access Token
- an example with `client_credential` grant type would be great.
- iiuc `jti` is required, the example does not report it.
§4 Validating JWT Access Tokens
- the step about forbidding "none" is limitative WRT JWT BCP 8725
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
