-
assigned issue to
- changed status to open
Messsages - 3.3.4.2 Distributed claim without access_token
Issue #15
resolved
When access_token is not present in a distributed claim, it is not clear how the resource should be accessed. Without any access_token OR using default access_token that was used to access userinfo endpoint?
Clarification text needed.
Comments (3)
-
reporter -
Look clearer in Draft 04 of Messages.
-
- changed status to resolved
- Log in to comment
Need to make sure that the new text below is what the WG think is right.
access_token
OPTIONAL. Access token enabling retrieval of the claims from the endpoint URL by using the OAuth 2.0 Bearer [OAuth.2.0.Bearer] scheme. Claims SHOULD be requested using the Authorization request header field and claims sources MUST support this method. If the access token is not available, clients MAY need to retrieve the access token out of band or use an a priori access token that was negotiated between the claim source and client, or the claim source MAY reauthenticate the user and/or reauthorize the client.