Hi Roberto, On Fri, Apr 02, 2021 at 11:55:27AM +0200, Roberto Polli wrote: > Hi Vittorio et al, > > some considerations on oauth access token jwt follows. > You can see them here too > https://docs.google.com/document/d/1XsvBzGvhcY0N6vJNgLx6G1dJ5trvgwYRJA9F_NCakbU/edit > > An example with client_credential grant type would be nice too. > > My 2¢, > R. > > § 1.2 Terminology > > + The terms "Collision-Resistant", is used according to Section 2 of > {{JWT}}. > > §2.1 Header > > - mentioning "none" alg can be redundant. I'd reference all the JWT BCP > instead. > - I'd add an example header, eg > > ~~~ example > > { > > "typ": "at+jwt", > > "alg": "PS256" > > } > > ~~~ > > > § 2.2.1 Authentication Information Claims > > Is it worth mentioning the "implicit flow"? > > §2.2.2 Identity Claims > > - use the "Collision-Resistant" definition in {{JWT}} > > §2.2.3 Authorization Claims > > - " ... scope parameter..." should `scope` be quoted? > - "All the individual scope strings in the "scope" claim MUST have meaning > for the resources indicated in the "aud" claim." > ^ otherwise the error returned is ...? Should we reference §4 here? > > §2.2.3.1 Claims for Authorization Outside of Delegation Scenarios > - which are the delegated scenarios described in RFC7519? Do you refer to > "When using an administratively delegated > namespace" ? It is not clear to a first-reader. > > §3 Requesting a JWT Access Token > - an example with `client_credential` grant type would be great. > - iiuc `jti` is required, the example does not report it.
That's a very good catch; thank you! -Ben > §4 Validating JWT Access Tokens > > - the step about forbidding "none" is limitative WRT JWT BCP 8725 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
