openid / HEART / issues / #8 - JWT access/refresh token claims — Bitbucket

Issue #8 new

Nov Matake created an issue 2017-12-13

Is the sentence below suggesting refresh token's audience SHOULD be resource servers instead of authorization server? How to distinguish access tokens from refresh tokens?

Current trend seems defining "typ" for each token types, but at least, there should be some guidance to distinguish those two token types.

"Refresh tokens SHOULD be signed with JWS using the same public key and contain the same set of claims as the access tokens."
ref.) http://openid.net/specs/openid-heart-oauth2-1_0-2017-05-31.html#rfc.section.3.2

Comments (1)

Nov Matake reporter
- edited description
- 2017-12-13T02:13:06+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: new

Component: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!