Add example for verified_claims included in access token
Issue #1214
resolved
In section verified_claims delivery it is mentioned, that verified_claims can be included in the access token. We should add an example for this. OIDCC does allow to return claims in the ID token as well as the user info endpoint. The concept of having this inside of the access token is specific to eKYCC and should thus be exemplified.
Comments (4)
-
reporter -
Re access token example: my suggestion is to base it on the JWT profile developed at the OAuth WG, which is approaching completion:
https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-10
-
reporter -
assigned issue to
-
assigned issue to
-
reporter - changed status to resolved
Addressed with PR#85
- Log in to comment
Also … not sure if this would mandate another ticket … the last part of the sentence is confusing: “OAuth Authorization Servers can add
verified_claims
to access tokens in JWT format or Token Introspection responses, either in plain JSON or JWT-protected format.” JWT is not a protection per se. It’s just a format. A JWT could be unsigned.