jspωiki
Act (Actor) Claim

Overview#

Act (Actor) Claim is described in OAuth 2.0 Token Exchange as provides a means within a JWT to express that delegation has occurred and identify the acting party to whom authority has been delegated.

Act (Actor) Claim is a JSON object and members in the JSON object are claims that identify the actor. The claims that make up the "act" claim identify and possibly provide additional information about the actor. For example, the combination of the two claims "iss" and "sub" might be necessary to uniquely identify an actor.

However, claims within the "act" claim pertain only to the Digital Identity of the actor and are not relevant to the validity of the containing JWT in the same manner as the top-level claims. Consequently, claims such as "exp", "nbf", and "aud" are not meaningful when used within an "act" claim, and therefore SHOULD NOT be used. The following example illustrates the "act" (actor) claim within a JWT Claims Set. The claims of the token itself are about user@example.com while the "act" claim indicates that admin@example.com is the current actor.

    {
      "aud":"https://consumer.example.com",
      "iss":"https://issuer.example.com",
      "exp":1443904177,
      "nbf":1443904077,
      "sub":"user@example.com",
      "act":
      {
        "sub":"admin@example.com"
      }
    }
A chain of delegation can be expressed by nesting one "act" claim within another. The outermost "act" claim represents the current actor while nested "act" claims represent prior actors. The least recent actor is the most deeply nested.

The following example illustrates nested "act" (actor) claims within a JWT Claims Set. The claims of the token itself are about user@example.com while the "act" claim indicates that the system consumer.example.com-web-application is the current actor and admin@example.com was a prior actor. Such a token might come about as the result of the web application receiving a token like the one in the previous example and exchanging it for a new token that lists it as the current actor and that can be used at https://backend.example.com.

    {
      "aud":"https://backend.example.com",
      "iss":"https://issuer.example.com",
      "exp":1443904100,
      "nbf":1443904000,
      "sub":"user@example.com",
      "act":
      {
        "sub":"consumer.example.com-web-application",
        "iss":"https://issuer.example.net",
        "act":
        {
          "sub":"admin@example.com"
        }
      }
    }
When included as a top-level member of an OAuth Token introspection response, "act" has the same semantics and format as the the claim of the same name.

More Information#

There might be more information for this subject on one of the following: