The intent is that urn:ietf:params:oauth:token-type:access_token be an indicator that the token is a typical OAuth access token issued by the AS in question, opaque to the client, and usable the same manner as any other access token obtained from that AS (it could well be a JWT but the client isn't and needn't be aware of that fact). Whereas urn:ietf:params:oauth:token-type:jwt is to indicate that a JWT specifically is being requested or sent (perhaps in a cross-domain use case to get an access token from a different AS like is facilitated by RFC 7523).
Is that helpful at all? I agree that it can be confusing. But it's representative of the kinds of tokens and their usages out there now. So, needs to be allowed. I'd welcome ideas about how the language could be improved to help alleviate some of the confusion though. On Mon, Apr 11, 2016 at 7:25 AM, Adam Lewis < [email protected]> wrote: > Hi, > > There are multiple places in draft-ietf-oauth-token-exchange-04 where a > differentiation seems to be drawn between 'access_token' and 'jwt' ... for > example in section 2.2.1. when discussing the issued_token_type, it states: > > a value of "urn:ietf:params:oauth:token-type:access_token" indicates > > that the issued token is an access token and a value of > "urn:ietf:params:oauth:token-type:jwt" indicates that it is a JWT. > > > This is confusing to me because an access token represents a delegated > authorization decision, whereas JWT is a token *format*. An access token > could easily be a JWT (and in many deployments, they are). > > > So why the desire to differentiate, and what does the differentiation mean? > > > > tx! > adam > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
