!!! Overview
[{$pagename}] is described in [OAuth 2.0 Token Exchange] that [{$pagename}] makes a statement that one party is authorized to become the actor and act on behalf of another party.  


The claim value is a [JSON] object and members in the [JSON] object are claims that identify the party that is asserted as being eligible to act for the party identified by the [JWT] containing the claim.  The claims that make up the "may_act" claim identify and possibly provide additional information about the [authorized] [actor].  

For example, the combination of the two claims "[iss]" and "[sub]" are sometimes necessary to uniquely identify an authorized actor, while the "email" claim might be used to provide additional useful information about that party.

However, claims within the [{$pagename}] pertain only to the identity of that party and are not relevant to the validity of the containing [JWT] in the same manner as top level claims.  Consequently, claims such as "[exp]", "[nbf]", and "[aud]" are not meaningful when used within a [{$pagename}], and therefore [SHOULD NOT] be used.

The following example illustrates the [{$pagename}] within a [JWT] Claims Set.  The claims of the token itself are about user@example.com while the "may_act" claim indicates that admin@example.com is authorized to act on behalf of user@example.com.
%%prettify 
{{{
{
  "aud":"https://consumer.example.com",
  "iss":"https://issuer.example.com",
  "exp":1443904177,
  "nbf":1443904077,
  "sub":"user@example.com",
  "may_act":
  {
    "sub":"admin@example.com"
  }
}
}}} /%

When included as a top-level member of an [OAuth 2.0 Token Introspection] Response, [{$pagename}] has the same semantics and format as the the claim of the same name.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]