Thanks Dick, I agree. The scenario of self-issued access tokens doesn't really follow the model of OAuth.
So, if we do standardize self-issued access tokens, maybe OAUTH WG is not the right venue. Maybe HTTPBIS or HTTPAPI WGs? Toshio Ito From: Dick Hardt <[email protected]> Sent: Wednesday, September 29, 2021 3:06 PM To: ito toshio(伊藤 俊夫 ○RDC□IT研○CNL) <[email protected]> Cc: [email protected] Subject: Re: [OAUTH-WG] self-issued access tokens If the client is sending a self-signed JWT to the RS, you essentially are just authenticating directly to the RS. Not really OAuth as the RS has not delegated authorization authority to the AS. If the client sends a self-signed JWT (a PAR) to the AS, and gets back an access token to present to the RS, you get centralized authorization decisions, a key feature of OAuth.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
