Hi Torsten!
If 'structured_scope' would become a generic field for application
specific content, I believe an indicator for the type of content would
be needed on the long run. That is what I meant my 'profile'. I hope
this helps!
Thank you,
Sascha
Am Mo., 22. Apr. 2019 um 22:06 Uhr schrieb Tors
I can see use cases where both approaches are useful. I was just
pointing out that while the RS might not be told the context of the
request from the client's perspective, the client still knows it's own
context and can leverage that with UMA at the RS to reduce the need to
request multiple tok
Yes, from 3.3.1 of the UMA OAuth2 grant...
scope
OPTIONAL. A string of space-separated values representing requested
scopes. For the authorization server to consider any requested scope
in its assessment, the client MUST have pre-registered the same
scope with the authorization server
Ah, I hadn't considered the OpenId Connect/claims connection. At one point
we actually considered using the private_key_jwt client secret to transport
"claims" from the client to the AS - so we were happy to learn about the
JAR spec.
In my opinion TLS is good enough, but some security analysts and
