Hi Nikos, If you mean indicate to the client, then in my view, no — not directly in a delegation protocol like OAuth, at least. The format of the token, and its contents, are abstracted away. As has been mentioned in the thread already, you can return a “scope” and other parameters to the client to indicate what it should ask for, as well as “resource” or even “authorization_details” to use RAR structures. However, there’s an important point that I see so many engineers trip over:
- Scope, resource, authorization_details (RAR), audience, etc: parameters that the client uses to describe what it wants in a request. Let’s call this the “request set”. - iss, sub, claims, attributes, etc: items inside a JWT access token (when you use that format) to tell an RS what the token’s good for. Let’s call this the “access set”. The client and AS communicate using the “request set”, while the AS and RS communicate in the “access set”. It’s the job of the AS — literally the primary function of the role of AS — is to translate the “request set” into an artifact, the access token, that can be interpreted in the “access set”. The access token is the artifact that provides that abstraction to the client, and the AS is the mechanism through which a client’s understanding of what it’s asking for gets translated to what the RS actually understands. What gets confusing is that sometimes these are the same in practice — you can use “scope” in both places as an abstraction in the access token itself. I’ve seen that work many times. But when you do that it does seem like the client is saying “put the following things inside the access token”, when what’s really happening is the client is saying “I want access to the following things” and the AS is taking that list and saying “that means these other things are what go in the access token”. The entire purpose of a delegation protocol is that translation from “request set” to “access set” semantics. Trying to skip that gets you out of delegation protocol territory pretty quickly. — Justin > On Dec 11, 2021, at 5:35 AM, Nikos Fotiou <fot...@aueb.gr> wrote: > > Hi, > > I have a use case where a resource server is protected and can only be > accessed if a JWT is presented. Is there any way for the server to "indicate" > the "expected" format of the JWT. For example, respond to unauthorized > requests with something that would be translated into "I expect tokens form > iss X with claims [A,B,C]" > > Best, > Nikos > > -- > Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou > Researcher - Mobile Multimedia Laboratory > Athens University of Economics and Business > https://mm.aueb.gr > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
