clarify JWT Claim 'scope' datatype in ASTM and RID specs - Githubissues

astm-utm / Protocol

ASTM UTM Protocol (API and sequence diagrams)

16 stars 11 forks source link

clarify JWT Claim 'scope' datatype in ASTM and RID specs #31

Closed issmith1 closed 4 years ago

issmith1 commented 4 years ago

Discussions reveal that datatype for JWT Claim scope is actually string containing white space separated scopes.

"scope: with an array of strings indicating the scopes granted." Occurs in both RID and ASTM: https://github.com/astm-utm/Protocol/blob/master/utm.yaml#L70 https://github.com/uastech/standards/blob/master/remoteid/augmented.yaml#L1775

Also 'canonical' obviously has old security definitions. Why is this spec still published? https://github.com/uastech/standards/blob/master/remoteid/canonical.yaml

BenjaminPelletier commented 4 years ago

Yes, it would be better to clarify the nature of the scope data type; it is not a JSON array, but an array as a synonym to "collection", "list", etc, as per RFC6749 -- will do on this repo.

The uastech/standards repo is an entirely different repo holding a mirror of the published remote ID standard. Bugs for that can be filed there, but I don't see any old security definitions.