Am I missing something. JWT is firstly an oauth spec. Otherwise why isnt it in jose wg?
Phil Sent from my phone. On 2013-02-28, at 8:44, Brian Campbell <[email protected]> wrote: > I think John's point was more that scope is something rather specific to an > OAuth access token and, while JWT is can be used to represent an access > token, it's not the only application of JWT. The 'standard' claims in JWT are > those that are believed (right or wrong) to be widely applicable across > different applications of JWT. One could argue about it but scope is probably > not one of those. > > It would probably make sense to try and build a profile of JWT specifically > for OAuth access tokens (though I suspect there are some turtles and dragons > in there), which might be the appropriate place to define/register a scope > claim. > > > On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt <[email protected]> wrote: >> Are you advocating TWO systems? That seems like a bad choice. >> >> I would rather fix scope than go to a two system approach. >> >> Phil >> >> Sent from my phone. >> >> On 2013-02-28, at 8:17, John Bradley <[email protected]> wrote: >> >> > While scope is one method that a AS could communicate authorization to a >> > RS, it is not the only or perhaps even the most likely one. >> > Using scope requires a relatively tight binding between the RS and AS, >> > UMA uses a different mechanism that describes finer grained operations. >> > The AS may include roles, user, or other more abstract claims that the the >> > client may (god help them) pass on to EXCML for processing. >> > >> > While having a scopes claim is possible, like any other claim it is not >> > part of the JWT core security processing claims, and needs to be defined >> > by extension. >> > >> > John B. >> > On 2013-02-28, at 2:29 AM, Hannes Tschofenig <[email protected]> >> > wrote: >> > >> >> Hi Mike, >> >> >> >> when I worked on the MAC specification I noticed that the JWT does not >> >> have a claim for the scope. I believe that this would be needed to allow >> >> the resource server to verify whether the scope the authorization server >> >> authorized is indeed what the client is asking for. >> >> >> >> Ciao >> >> Hannes >> >> >> >> _______________________________________________ >> >> OAuth mailing list >> >> [email protected] >> >> https://www.ietf.org/mailman/listinfo/oauth >> > >> > _______________________________________________ >> > OAuth mailing list >> > [email protected] >> > https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
