This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Act (Actor) Claim
Act (Actor) Claim

Version management

Difference between version and

At line 1 added 51 lines
!!! Overview
[{$pagename}] is described in [OAuth 2.0 Token Exchange] as provides a means within a [JWT] to express that [delegation] has occurred and identify the acting party to whom authority has been delegated.
[{$pagename}] is a [JSON] object and members in the [JSON] object are claims that identify the actor. The claims that make up the "act" claim identify and possibly provide additional information about the actor. For example, the combination of the two claims "[iss]" and "[sub]" might be necessary to uniquely identify an actor.
However, claims within the "act" claim pertain only to the [Digital Identity] of the actor and are not relevant to the validity of the containing [JWT] in the same manner as the top-level claims. Consequently, claims such as "[exp]", "[nbf]", and "[aud]" are __not meaningful__ when used within an "act" claim, and therefore [SHOULD NOT] be used.
The following [example] illustrates the "act" (actor) claim within a [JWT] Claims Set. The claims of the token itself are __about user@example.com__ while the "act" claim indicates that __admin@example.com is the current [actor]__.
%%prettify
{{{
{
"aud":"https://consumer.example.com",
"iss":"https://issuer.example.com",
"exp":1443904177,
"nbf":1443904077,
"sub":"user@example.com",
"act":
{
"sub":"admin@example.com"
}
}
}}} /%
A chain of delegation can be expressed by nesting one "act" claim within another. The outermost "act" claim represents the current actor while nested "act" claims represent prior actors. The least recent actor is the most deeply nested.
The following [example] illustrates nested "act" (actor) claims within a [JWT Claims Set]. The claims of the token itself are __about user@example.com__ while the "act" claim indicates that the system __consumer.example.com-web-application is the current actor__ and __admin@example.com was a prior actor__.
Such a token might come about as the result of the web [application] receiving a [token] like the one in the previous example and exchanging it for a new token that lists it as the current [actor] and that can be used at https://backend.example.com.
%%prettify
{{{
{
"aud":"https://backend.example.com",
"iss":"https://issuer.example.com",
"exp":1443904100,
"nbf":1443904000,
"sub":"user@example.com",
"act":
{
"sub":"consumer.example.com-web-application",
"iss":"https://issuer.example.net",
"act":
{
"sub":"admin@example.com"
}
}
}
}}} /%
When included as a top-level member of an [OAuth 2.0 Token Introspection] response, "act" has the same semantics and format as the the claim of the same name.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop