Hi, I continue to have an interest in the OAuth assertion profiles for my use cases. I'm wondering if the idea of performing a first OAuth dance which returns to the client a structured JWT access token (with scope=AS for example) could then be used as the JWT in an assertion grant type? So something like this (I show the RO credential flow since it is the simplest to draw, but same idea for the code flow):
Client AS | | |---------------->| (authorization request scope=AS, grant_type=RO password credentials) | | |<----------------| (token response with access_token scoped to AS) | | |---------------->| (authorization request, scope=xyz, grant_type=JWT assertion as obtained from previous step) | | |<----------------| (token response with access token scoped to xyz) I suppose there is nothing in theory which should prevent this, but I am wondering if anybody else has thought of such a usage. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
