[Openid-specs-heart] Issue #8: JWT access/refresh token claims (openid/heart)
Justin Richer
jricher at mit.edu
Mon Dec 18 14:35:33 UTC 2017
The audience for refresh tokens should be clarified to be the AS here,
good catch.
On 12/12/2017 9:12 PM, Nov Matake wrote:
> New issue 8: JWT access/refresh token claims
> https://bitbucket.org/openid/heart/issues/8/jwt-access-refresh-token-claims
>
> Nov Matake:
>
> Is the sentence below suggesting refresh token's audience SHOULD be resource servers instead of authorization server? How to distinguish access tokens from refresh tokens?
>
> Current trend seems defining "typ" for each token types, but at least, there should be some guidance to distinguish those two token types.
>
> *Refresh tokens SHOULD be signed with JWS using the same public key and contain the same set of claims as the access tokens.*
>
> http://openid.net/specs/openid-heart-oauth2-1_0-2017-05-31.html#rfc.section.3.2
>
>
> _______________________________________________
> Openid-specs-heart mailing list
> Openid-specs-heart at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-heart
More information about the Openid-specs-heart
mailing list