You are missing something
https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33#section-8.13 defined here From: Francesca Palombini <[email protected]> Sent: Friday, February 21, 2020 4:37 AM To: Seitz Ludwig <[email protected]>; Mike Jones <[email protected]>; Jim Schaad <[email protected]> Cc: Ace Wg <[email protected]> Subject: Access token question Hi, Quick question regarding access token and scope. I know that “scope” semantics is left to the application to define, but in general I would expect to include there some information about resource and method/operations allowed on that resource. Please correct me if any of this is not exact. It was my understanding that “scope” (or more precisely the “scope” value) defined for the Client-AS request and response should be included in the access token as well. Checking in CWT, there is no such “scope” claim defined. “aud” claim is indeed defined for the CWT, but that should correspond to “aud” parameter in the ACE request/response. So where do I put the exact resource and operations in the access token? What am I missing? Francesca
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
