+1
I’ve been trying to argue this for a bit now … that while OAuth may not
deprecate the usage of unstructured access tokens (or prohibiting others from
defining their own) that having a WG guidance on what a structured JWT (or
SAML) access token would like … I think developers moving forward
I agree that it’s likely a claim that would be used in access tokens.
I’m coming to the conclusion that we should actually write an access token
profile for JWT and probably SAML as well. This would be parallel to the kinds
of requirements placed on the use of SAML and JWT when used for client
This looks right to me (and I'm in a boring meeting processing
errata:-) so I'm gonna mark it as verified. Please let me know
if that's wrong.
S
On 02/26/2013 05:07 PM, RFC Errata System wrote:
> The following errata report has been submitted for RFC6749,
> "The OAuth 2.0 Authorization Framework
It's a question of whether the jwt spec alone is used (in which case it needs
scope) or whether another profile for access tokens is needed.
Since scope is fundamental to oauth, i think it is part if the core set of
minimal attributes for access tokens. In fact i cab envision cases where
refe
