Thanks all! Section 8.13 of the framework is exactly what I was looking for, I don’t know how I did not see it. A bit surprised there is no text referencing it in the framework itself.
Also, about the “scope” claim registration: the claim description and the specification document give 2 different pointers. The claim description ref points to the description for JWT (JSON string etc), I think this should be adapted to using CBOR (writing a section in the ACE framework, which could then reference both pointers). Also minor, I would add the precise section of 6749 we should look at, which I assume is 3.3. Francesca From: Mike Jones <michael.jo...@microsoft.com> Date: Friday, 21 February 2020 at 19:45 To: Jim Schaad <i...@augustcellars.com>, Francesca Palombini <francesca.palomb...@ericsson.com>, 'Seitz Ludwig' <ludwig.se...@combitech.se> Cc: Ace Wg <ace@ietf.org> Subject: RE: [EXTERNAL] RE: Access token question And https://tools.ietf.org/html/rfc8693#section-7.4, which registers “scope” at https://www.iana.org/assignments/jwt/jwt.xhtml. -- Mike From: Jim Schaad <i...@augustcellars.com> Sent: Friday, February 21, 2020 9:15 AM To: 'Francesca Palombini' <francesca.palomb...@ericsson.com>; 'Seitz Ludwig' <ludwig.se...@combitech.se>; Mike Jones <michael.jo...@microsoft.com> Cc: 'Ace Wg' <ace@ietf.org> Subject: [EXTERNAL] RE: Access token question You are missing something https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33#section-8.13<https://protect2.fireeye.com/v1/url?k=72002d7d-2ed426d6-72006de6-864b0d136b87-400f082a818228df&q=1&e=a5d76c10-357e-4834-9e8c-56996a757268&u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Ftools.ietf.org%252Fhtml%252Fdraft-ietf-ace-oauth-authz-33%2523section-8.13%26data%3D02%257C01%257CMichael.Jones%2540microsoft.com%257C41e26bbcdb7c4f902d7908d7b6f1a860%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637179021340478864%26sdata%3DbMozqI2BYqMAAViWLIIKzJBvQFa30eqKVHtqUiC3bH8%253D%26reserved%3D0> defined here From: Francesca Palombini <francesca.palomb...@ericsson.com<mailto:francesca.palomb...@ericsson.com>> Sent: Friday, February 21, 2020 4:37 AM To: Seitz Ludwig <ludwig.se...@combitech.se<mailto:ludwig.se...@combitech.se>>; Mike Jones <michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>>; Jim Schaad <i...@augustcellars.com<mailto:i...@augustcellars.com>> Cc: Ace Wg <ace@ietf.org<mailto:ace@ietf.org>> Subject: Access token question Hi, Quick question regarding access token and scope. I know that “scope” semantics is left to the application to define, but in general I would expect to include there some information about resource and method/operations allowed on that resource. Please correct me if any of this is not exact. It was my understanding that “scope” (or more precisely the “scope” value) defined for the Client-AS request and response should be included in the access token as well. Checking in CWT, there is no such “scope” claim defined. “aud” claim is indeed defined for the CWT, but that should correspond to “aud” parameter in the ACE request/response. So where do I put the exact resource and operations in the access token? What am I missing? Francesca
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace