A new draft of “OAuth 2.0 Token Exchange” has been published addressing review comments on the prior draft. The changes from -03 are listed here:
- Clarified that the “
resource” and “audience” request parameters can be used at the same time (via http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html). - Clarified subject/actor token validity after token exchange and explained a bit more about the recommendation to not issue refresh tokens (via http://www.ietf.org/mail-archive/web/oauth/current/msg15318.html).
- Updated the examples appendix to use an issuer value that doesn’t imply that the client issued and signed the tokens and used “
Bearer” and “urn:ietf:params:oauth:token-type:access_token” in one of the responses (via http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html). - Defined and registered
urn:ietf:params:oauth:token-type:id_token, since some use cases perform token exchanges for ID Tokens and no URI to indicate that a token is an ID Token had previously been defined.
The specification is available at:
An HTML-formatted version is also available at:
Thanks to Brian Campbell for doing most of the edits for this release.