The syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “
scope” string to represent scope values, whereas Token Exchange was defining an array-valued “
scp” claim to represent scope values. The former also uses a “
client_id” element to represent OAuth Client ID values, whereas the latter was using a “
cid” claim for the same purpose.
After consulting with the working group, the OAuth Token Exchange claim names have been changed to “
scope” and “
client_id“. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.
The specification is available at:
An HTML-formatted version is also available at: