Re: [OAUTH-WG] OAuth2 2 legged flows with JWT client assertions

Thanks for the pointer Brian, that's helpful! (and yes I didn't dig through the framework spec:) On 9/16/15 12:27 PM, Brian Campbell wrote: Yeah, when a client wants to get an access token for itself, the client_credentials grant_type with client_assertion_type/client_assertion. We attempted

Re: [OAUTH-WG] OAuth2 2 legged flows with JWT client assertions

Yeah, when a client wants to get an access token for itself, the client_credentials grant_type with client_assertion_type/client_assertion. We attempted to call this out in the assertion framework (RFC 7521) in a discussion of "Common Scenarios " with

Re: [OAUTH-WG] OAuth2 2 legged flows with JWT client assertions

That’s how we’ve implemented it, but I’ve seen others pass the JWS for the token directly using the assertion grant type. Personally I find that a little confusing, since it’s still the client making the swap, but maybe there’s something useful there anyway. It honestly feels a bit too much like

[OAUTH-WG] OAuth2 2 legged flows with JWT client assertions

Hi, I just want to verify my reading of RFC 7523[1] for the use case where a client wants to get an access token for itself to use as authorization for future API calls. This is effectively exchanging a JWS for a "short lived" access token. My understanding of section 2.2 of RFC 7523, is tha