Would be useful to understand your use case and what you the goals and constraints are
On Thu, Sep 30, 2021 at 5:58 PM <[email protected]> wrote: > Thanks Dick, > > > > I agree. The scenario of self-issued access tokens doesn't really follow > the > > model of OAuth. > > > > So, if we do standardize self-issued access tokens, maybe OAUTH WG is not > the > > right venue. Maybe HTTPBIS or HTTPAPI WGs? > > > > > > Toshio Ito > > > > *From:* Dick Hardt <[email protected]> > *Sent:* Wednesday, September 29, 2021 3:06 PM > *To:* ito toshio(伊藤 俊夫 ○RDC□IT研○CNL) <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [OAUTH-WG] self-issued access tokens > > > > If the client is sending a self-signed JWT to the RS, you essentially are > just authenticating directly to the RS. Not really OAuth as the RS has not > delegated authorization authority to the AS. > > > > If the client sends a self-signed JWT (a PAR) to the AS, and gets back an > access token to present to the RS, you get centralized authorization > decisions, a key feature of OAuth. > > > > > > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
