[mitreid-connect] Access Token & Scope

Yannick Béot yannick.beot at gmail.com
Sun Jan 4 16:47:05 EST 2015


Hi,

Access tokens generated by MITREid Connect and transmitted to the client
are JWT tokens but do not contain scopes.
Therefore, resource server has to call the introspect URL to fetch the
scope.

Since MITREid is using signed JWT, the resource server can verify the
access token.
So why not include the scopes?

Do you declare in MITREid Connect the client application and the resource
server, the client application with no introspection right, the resource
server with introspection?

Best regards,

Yannick Béot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150104/06833466/attachment.htm


More information about the mitreid-connect mailing list