Skip to main content

9. Resource Servers

In order to enable the RS to enforce the authorization details as approved in the authorization process, the AS MUST make this data available to the RS. The AS MAY add the authorization_details field to access tokens in JSON Web Token (JWT) format or to token introspection responses.

9.1. JWT-Based Access Tokens

If the access token is a JWT [RFC7519], the AS is RECOMMENDED to add the authorization details object, filtered to the specific audience, as a top-level claim. The AS will typically also add further claims to the JWT that the RS requires for request processing, e.g., user ID, roles, and transaction-specific data. What claims the particular RS requires is defined by the RS-specific policy with the AS.

9.2. Token Introspection

Token introspection [RFC7662] provides a means for an RS to query the AS to determine information about an access token. If the AS includes authorization detail information for the token in its response, the information MUST be conveyed with authorization_details as a top-level member of the introspection response JSON object. The authorization_details member MUST contain the same structure defined in Section 2, potentially filtered and extended for the RS making the introspection request.

Last updated on