Overview#

May_act (May Act For) Claim is described in OAuth 2.0 Token Exchange that May_act (May Act For) Claim makes a statement that one party is authorized to become the actor and act on behalf of another party.

The claim value is a JSON object and members in the JSON object are claims that identify the party that is asserted as being eligible to act for the party identified by the JWT containing the claim. The claims that make up the "may_act" claim identify and possibly provide additional information about the authorized actor.

For example, the combination of the two claims "iss" and "sub" are sometimes necessary to uniquely identify an authorized actor, while the "email" claim might be used to provide additional useful information about that party.

However, claims within the May_act (May Act For) Claim pertain only to the identity of that party and are not relevant to the validity of the containing JWT in the same manner as top level claims. Consequently, claims such as "exp", "nbf", and "aud" are not meaningful when used within a May_act (May Act For) Claim, and therefore should not be used.

The following example illustrates the May_act (May Act For) Claim within a JWT Claims Set. The claims of the token itself are about user@example.com while the "may_act" claim indicates that admin@example.com is authorized to act on behalf of user@example.com.

{
  "aud":"https://consumer.example.com",
  "iss":"https://issuer.example.com",
  "exp":1443904177,
  "nbf":1443904077,
  "sub":"user@example.com",
  "may_act":
  {
    "sub":"admin@example.com"
  }
}

When included as a top-level member of an OAuth 2.0 Token Introspection Response, May_act (May Act For) Claim has the same semantics and format as the the claim of the same name.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-1) was last changed on 18-Mar-2017 15:14 by jim