The syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “
scope
†string to represent scope values, whereas Token Exchange was defining an array-valued “scp
†claim to represent scope values. The former also uses a “client_id
†element to represent OAuth Client ID values, whereas the latter was using a “cid
†claim for the same purpose.
After consulting with the working group, the OAuth Token Exchange claim names have been changed to “scope
†and “client_id
â€. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under Claims & IETF & JSON & OAuth & Specifications