Claims in embedded access tokens

Question

Claims in embedded access tokens

Closed this issue 3 months ago · 2 comments

Section "Conformance for Brokers" of the AAI spec says

"Access tokens do not contain GA4GH Claims directly in the access token."

However, section "Embedded Access Token Format" says

"The payload claims MAY contain at least one GA4GH Claim ()."

I understand that the intention is that a Broker may decide to embed an upstream broker's access token to a downstream passport. Therefore, the spec would be more consistent if claims would be excluded from embedded access tokens, too.

Answer 1 · 2020-02-24T02:36:43.000Z

Wait was this addressed before we ratified?

Answer 2 · 2024-10-02T23:42:06.000Z

The second statement mentioned is not present in version 1.2, and the first statement has been strengthened to say MUST NOT ratehr than do not.