Hi All, A JWT Bearer grant is a JSON Web Token that contains authorization information that could be used in exchange for an OAuth token.
According to the OAuth JWT Bearer grant spec <https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12#section-3.1>, a valid JWT should have some sort of identifier (token endpoint may be used) of the token issuing authorization server within the audience claim. The JWT MUST contain an "aud" (audience) claim containing a value that identifies the authorization server as an intended audience. The token endpoint URL of the authorization server MAY be used as a value for an "aud" element to identify the authorization server as an intended audience of the JWT. The Authorization Server MUST reject any JWT that does not contain its own identity as the intended audience In the absence of an application profile specifying otherwise, compliant applications MUST compare the audience values using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986 [RFC3986]. As noted in Section 5, the precise strings to be used as the audience for a given Authorization Server must be configured out-of-band by the Authorization Server and the Issuer of the JWT. Recently we did some changes in IS to specify the audience values to be included in the OpenID token. Therefore an OpenID token generated by IS could be used at any external token endpoint that supports JWT bearer grant to obtain an access token. But say if I want to get a JWT from an external IDP to be used at the IS token endpoint, is there a standard way(spec) to request for a JWT with the token endpoint(any similar identifier) as the audience? Thanks, Farasath Ahamed Software Engineer, WSO2 Inc.; http://wso2.com lean.enterprise.middleware Email: [email protected] Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
