`purp` claim name and optionality
tulshi opened this issue · 1 comments
tulshi commented
From Yaron's feedback email:
need a lot more discussion of this claim, also it may be OPTIONAL too. Also, why not call it "scope" if that's what it is?
tulshi commented
From @gffletch:
- In an external to internal flow, the scopes tend to be broad. The TraT can be set to a more specific to narrow the use of the TraT.
- We could call it scope, but it could be confused with the OAuth scope
- One could set the
purp
value to the actual API that was called to be very specific
We should add a sub-section to describe the above in the draft.