[Openid-specs-heart] Issue #8: JWT access/refresh token claims (openid/heart)
Nov Matake
issues-reply at bitbucket.org
Wed Dec 13 02:12:45 UTC 2017
New issue 8: JWT access/refresh token claims
https://bitbucket.org/openid/heart/issues/8/jwt-access-refresh-token-claims
Nov Matake:
Is the sentence below suggesting refresh token's audience SHOULD be resource servers instead of authorization server? How to distinguish access tokens from refresh tokens?
Current trend seems defining "typ" for each token types, but at least, there should be some guidance to distinguish those two token types.
*Refresh tokens SHOULD be signed with JWS using the same public key and contain the same set of claims as the access tokens.*
http://openid.net/specs/openid-heart-oauth2-1_0-2017-05-31.html#rfc.section.3.2
More information about the Openid-specs-heart
mailing list