The syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “scope†string to represent scope values, whereas Token Exchange was defining an array-valued “scp†claim to represent scope values. The former also uses a “client_id†element to represent OAuth Client ID values, whereas the latter was using a “cid†claim for the same purpose.
After consulting with the working group, the OAuth Token Exchange claim names have been changed to “scope†and “client_idâ€. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.
The specification is available at:
An HTML-formatted version is also available at:
No Comments » Posted under Claims & IETF & JSON & OAuth & Specifications