[Openid-specs-ab] JSON Web Token (JWT) Bearer Profile for OAuth 2.0
Andreas Åkre Solberg
andreas.solberg at uninett.no
Thu Sep 1 08:52:35 UTC 2011
On 1. sep. 2011, at 09:09, nov matake wrote:
> # Step 3. Token Request
>
> [Request]
> * POST /token?grant_type=http://oauth.net/grant_type/jwt/1.0/bearer&jwt=YOUR_ID_TOKEN
I think your proposal is interesting.
However one showstopper that I see is the following text from the spec:
> The JWT MUST contain an aud (audience) claim containing a URI reference that identifies the authorization server as the intended audience. The authorization server MUST verify that it is an intended audience for the JWT.
An ID Token is issued by the authorization to the OP, and the audience would then NOT be including the authorization server.
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/12d3ce3b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4448 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/12d3ce3b/attachment.p7s>
More information about the Openid-specs-ab
mailing list