How does the AS know it should generate a JWT Authorization Grant formatted token?
Closed this issue · 3 comments
In reading through section 2.3.1 it's unclear to me how the AS knows it should be generating a token for the purposes of chaining to a new domain other than the specification of the audience/resource.
Are we sure that this is sufficient given the other profiles of token exchange that exist? Could there be cases where the AS is generating a token for the AS in domain B and the desired response token is NOT a JWT Authorization Grant formatted token?
I think audience/resource will be sufficient for the majority of cases. And the (soon more allowed) requested_token_type can be used to differentiate, if needed.
We had the same problem with our implementation, and are using the requested_token_type
parameter to indicate that this is a cross-domain authorization JWT instead of other uses of token exchange.