Re: [OAUTH-WG] OAuth 2.0 Token Exchange: An STS for the REST of Us

nov matake <> Mon, 21 December 2015 06:32 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 757C01A89C4 for <>; Sun, 20 Dec 2015 22:32:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.155
X-Spam-Status: No, score=0.155 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FRT_BELOW2=2.154, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XKhYXwgFF4-O for <>; Sun, 20 Dec 2015 22:32:05 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c03::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 762151A89B9 for <>; Sun, 20 Dec 2015 22:32:05 -0800 (PST)
Received: by with SMTP id wq6so94446441pac.1 for <>; Sun, 20 Dec 2015 22:32:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=iFxYBUxfy2kzlwPkWzZdhrAYMd70E1uhKXnWde6D3A4=; b=E6pcf/l2T25sRhrrOEvlC0hJDhCq6DnJA8U25MnwXjpKbWC89cJOgWQztpAzMKx5CH Kn30eIpRFoOdvyYcvjzkLHFGo93N8OWa/piTbBe9AxbJhw06xv8HZUZUPJ6SJOaOUAYf WKMP0PYSEFYnm7wKGngnxlgCtEkqB8AURGSPM2EVGE77Hr6PLmYE7UG+O0GVGEK1lUXF JRlmE8/6kF3GaD3IoK5z1E8tzzGfXvDz0+dNRTpMqfEltf+5gcE8EhXrh78BKwATnY3a qj9iW/LoNrgkiQUNVkgNA+2iGbizS2F81H3pht4zRKPffnZBG/f95PNEVu7LIrLnjnxL 3Eww==
X-Received: by with SMTP id ez3mr24739582pab.5.1450679525119; Sun, 20 Dec 2015 22:32:05 -0800 (PST)
Received: from ([]) by with ESMTPSA id e74sm29314428pfb.91.2015. (version=TLSv1/SSLv3 cipher=OTHER); Sun, 20 Dec 2015 22:32:04 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_6F0CC499-1DE4-45C1-960F-1056FEF7BE22"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: nov matake <>
In-Reply-To: <>
Date: Mon, 21 Dec 2015 15:32:02 +0900
Message-Id: <>
References: <>
To: Mike Jones <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] OAuth 2.0 Token Exchange: An STS for the REST of Us
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Dec 2015 06:32:07 -0000

Hi Mike,

I’m planning to use Token Exchange spec for a use-case described bewlow.

1. a native app obtains an access_token & an id_token from an IdP
2. the native app passes the id_token to its own backend component
3. the backend component obtains an access token from the IdP using the id_token via token exchange

In this use-case, the IdP will issue an id_token like below gist.

In the gist, “cnf” and “scopes" claim comes from OpenID Connect ACDC discussed in the NAPPS WG.

And now I realized ACDC defines “scopes” claim and Token Exchange defines “scp”.
In my case, the first id_token will includes “scopes” claim, and the access token issued to the client's backend component includes “scp” claim.
It’s theoretically OK, but I prefer those two claims have the same name…


> On Dec 14, 2015, at 17:05, Mike Jones <> wrote:
> I’m happy to report that a substantially revised OAuth 2.0 Token Exchange draft has been published that enables a broad range of use cases, while still remaining as simple as possible.  This draft unifies the approaches taken in the previous working group draft and draft-campbell-oauth-sts, incorporating working group input from the in-person discussions in Prague and mailing list discussions.  Thanks to all for your interest in and contributions to OAuth Token Exchange!  Brian Campbell deserves special recognition for doing much of the editing heavy lifting for this draft.
> The core functionality remains token type independent.  That said, new claims are also defined to enable representation of delegation actors in JSON Web Tokens (JWTs).  Equivalent claims could be defined for other token types by other specifications.
> See the Document History section for a summary of the changes made.  Please check it out!
> The specification is available at:
> · <>
> An HTML-formatted version is also available at:
> · <>
>                                                           -- Mike
> P.S.  This note was also posted at <> and as @selfissued <>.
> _______________________________________________
> OAuth mailing list
> <>
> <>