<div dir="ltr">There seems to be a fundamental problem with even calling this an "authorization server". Authorization happens only at the resource server itself. The best the "AS" can do is issue a set of claims (some masquerading as scopes) - some of which it might also verify. The challenge with the jwt is that the validity of the entire jwt is what is asserted. What is needed by the resource server is the validity statement for each claim. Including the claim that the client is trustworthy and (in openid) that the level of authentication and/or proof-of-presence and/or consent of the user was validated (or not). Combining these various ideas might seem like a good idea, but if the resource server has different criteria for different claims, it might not be sufficient.<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Peace ..tom</div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Nov 2, 2018 at 9:53 AM Preibisch, Sascha H via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-CA" link="#0563C1" vlink="#954F72">
<div class="m_2529101747130236058WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">Hi all!<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">I would like to share the idea of oauth clients that issue token themselves with you.
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">I wrote a blog post about it here:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt"><a href="https://communities.ca.com/blogs/oauth/2018/11/01/oauth-20-serverless-token-issuance" target="_blank">https://communities.ca.com/blogs/oauth/2018/11/01/oauth-20-serverless-token-issuance</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">Thanks for any feedback,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">Sascha<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">P.S.: today is the last day of CA, as of Monday its Broadcom. I am not sure if my blog post is available afterwards at that location!<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;color:black">Sascha Preibisch</span><span style="font-size:11.0pt;color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;color:black">Principal Software Architect</span><span style="font-size:11.0pt;color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;color:black">CA Technologies</span><span style="font-size:11.0pt;color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;color:black">CA Mobile API Gateway</span><span style="font-size:11.0pt;color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;color:black">CA API Management OAuth Toolkit</span><span style="font-size:11.0pt;color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;color:black">Email: <a href="mailto:sascha.preibisch@ca.com" target="_blank"><span style="color:#954f72">sascha.preibisch@ca.com</span></a></span><span style="font-size:11.0pt;color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;color:black">Blog: <a href="https://communities.ca.com/blogs/oauth" target="_blank">https://communities.ca.com/blogs/oauth</a></span><span style="font-size:11.0pt;color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:14.0pt">My book</span></b><span style="font-size:14.0pt">:</span><span style="font-size:11.0pt">
</span><b><span style="font-size:14.0pt"><a href="https://www.apress.com/de/book/9781484241394" target="_blank"><span style="color:#0563c1">API Development - A Practical Guide for Business Implementation Success</span></a></span></b><span style="font-size:11.0pt"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:14.0pt">Latest blog post:
<a href="https://communities.ca.com/blogs/oauth/2018/09/12/azure-ad-integration" target="_blank">
<span style="color:#0563c1">Azure AD integration</span></a><u></u><u></u></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:14.0pt">Previous blog post:
<a href="https://communities.ca.com/blogs/oauth/2018/06/25/oauth-toolkit-otk-and-ifttt-tutorial" target="_blank">
<span style="color:#0563c1">OTK + IFTTT tutorial</span></a></span></b><span lang="EN-US"><u></u><u></u></span></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>