Re: [OAUTH-WG] can a resource server provide indications about expected access tokens?

David Waite <> Sat, 11 December 2021 15:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7A4C03A08C5 for <>; Sat, 11 Dec 2021 07:02:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id g7w5x4D6WRHq for <>; Sat, 11 Dec 2021 07:02:24 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 44B1D3A08C7 for <>; Sat, 11 Dec 2021 07:02:24 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by (Postfix) with ESMTPA id DCB5C2066C4; Sat, 11 Dec 2021 15:02:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dkim; t=1639234943; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5xhKhWaysLYEwqH3Z6gDLsc6yydWoEwuwfTQRa2IPj0=; b=aYdesUO4n6jAbUra+akK8fxk1JHFr0QLc3ePeie2my1y8z0ARAKkRlpLK+PylbLyRkrViK kfnzepFw7t42/ye53J1HGmgwJwfgzfpV+UIQuAsTRP4cek1lgMqylfOOYuAUKt2GsHEPgU RPSB7Zx3RekI+spTvc0VJz7Z7eSbfH0=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0
From: David Waite <>
In-Reply-To: <>
Date: Sat, 11 Dec 2021 08:02:20 -0700
Cc: oauth <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Nikos Fotiou <>
Authentication-Results:; auth=pass
X-Spamd-Bar: +
Archived-At: <>
Subject: Re: [OAUTH-WG] can a resource server provide indications about expected access tokens?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 11 Dec 2021 15:02:30 -0000

> On Dec 11, 2021, at 3:35 AM, Nikos Fotiou <> wrote:
> Hi,
> I have a use case where a resource server is protected  and can only be accessed if a JWT is presented. Is there any way for the server to "indicate" the "expected" format of the JWT. For example,  respond to unauthorized requests with something that would be translated into "I expect tokens form iss X with claims [A,B,C]"

Normally, the scope of the token is part of the contract between the resource server and client (what sort of authorization is needed for the resource server), but other aspects of the relationship - such as format, or required information, or additional verification steps the user needs to take - are part of the contract between the AS and resource server.

The ways to work with indicating that these requirements exist at token issuance include:

1. Scopes - wrap requirements up into scopes, such as having an “admin” scope require additional user authentication, or a “purchasing” scope require the user’s shipping address be embedded as a claim

2. Resources - require the client to use the `resource` parameter to indicate which resource server the token is meant for, and use AS policy to say which RSs get what sort of tokens or have what sort of issuance policy.