I hadn't considered that but it's a good question. Do folks see value in the act/may_act claim semantics for introspection? I think doing it for act makes a lot of sense while may_act seems a bit awkward in that context of use. But maybe I'm just not seeing it.
On Fri, Mar 4, 2016 at 7:59 PM, Thomas Broyer <[email protected]> wrote: > Should the act and may_act also be registered for Introspection Endpoint > responses? > > Le ven. 4 mars 2016 21:13, Brian Campbell <[email protected]> a > écrit : > >> >> A new draft of "OAuth 2.0 Token Exchange" has been published addressing >> review comments on the prior draft. The changes from -03 are listed here: >> >> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-04 >> >> o Clarified that the "resource" and "audience" request parameters >> can be used at the same time (via http://www.ietf.org/mail- >> <http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html> >> archive/web/oauth/current/msg15335.html >> <http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html>). >> o Clarified subject/actor token validity after token exchange and >> explained a bit more about the recommendation to not issue refresh >> tokens (via http://www.ietf.org/mail-archive/web/oauth/current/ >> <http://www.ietf.org/mail-archive/web/oauth/current/msg15318.html> >> msg15318.html >> <http://www.ietf.org/mail-archive/web/oauth/current/msg15318.html>). >> o Updated the examples appendix to use an issuer value that doesn't >> imply that the client issued and signed the tokens and used >> "Bearer" and "urn:ietf:params:oauth:token-type:access_token" in >> one of the responses (via http://www.ietf.org/mail- >> <http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html> >> archive/web/oauth/current/msg15335.html >> <http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html>). >> o Defined and registered urn:ietf:params:oauth:token-type:id_token, >> since some use cases perform token exchanges for ID Tokens and no >> >> >> >> ---------- Forwarded message ---------- >> From: <[email protected]> >> Date: Fri, Mar 4, 2016 at 12:57 PM >> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-04.txt >> To: [email protected] >> Cc: [email protected] >> >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Web Authorization Protocol of the IETF. >> >> Title : OAuth 2.0 Token Exchange: An STS for the REST >> of Us >> Authors : Michael B. Jones >> Anthony Nadalin >> Brian Campbell >> John Bradley >> Chuck Mortimore >> Filename : draft-ietf-oauth-token-exchange-04.txt >> Pages : 28 >> Date : 2016-03-04 >> >> Abstract: >> This specification defines a protocol for a lightweight HTTP- and >> JSON- based Security Token Service (STS) by defining how to request >> and obtain security tokens from OAuth 2.0 authorization servers, >> including security tokens employing impersonation and delegation. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ >> >> There's also a htmlized version available at: >> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-04 >> >> A diff from the previous version is available at: >> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-04 >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
