How does the AS know it should generate a JWT Authorization Grant formatted token?

Question

How does the AS know it should generate a JWT Authorization Grant formatted token?

Closed this issue 5 months ago · 3 comments

In reading through section 2.3.1 it's unclear to me how the AS knows it should be generating a token for the purposes of chaining to a new domain other than the specification of the audience/resource.

Are we sure that this is sufficient given the other profiles of token exchange that exist? Could there be cases where the AS is generating a token for the AS in domain B and the desired response token is NOT a JWT Authorization Grant formatted token?

Answer 1 · 2024-02-27T22:57:26.000Z

I think audience/resource will be sufficient for the majority of cases. And the (soon more allowed) requested_token_type can be used to differentiate, if needed.

Answer 2 · 2024-02-27T23:36:21.000Z

We had the same problem with our implementation, and are using the requested_token_type parameter to indicate that this is a cross-domain authorization JWT instead of other uses of token exchange.

Answer 3 · 2024-04-24T19:05:49.000Z

#83 was merged