@ -77,7 +77,7 @@ Just a quick intro to vocabulary that will be explained more thoroughly later on
### Scopes
### Scopes
Scopes are federated schemas. Any issuer may act as the agent of the subject to authorize any azp for any audience. To make this possible scopes are defined as `<<schema>>@<<domain.tld>> ` (i.e. dns@oauth3.org) and can be discovered as `https://aud.tld/.well-known/scopes@oauth3.org/<<schema>>@<<domain.tld>> .json` .
Scopes are federated schemas. Any issuer may act as the agent of the subject to authorize any azp for any audience. To make this possible scopes are defined as `{schema}@{domain.tld} ` (i.e. dns@oauth3.org) and can be discovered as `https://aud.tld/.well-known/scopes@oauth3.org/{schema}@{domain.tld} .json` .
Examples of well-known scope-schemas:
Examples of well-known scope-schemas:
@ -189,11 +189,11 @@ Example **discovery url**:
```
```
https://smithfam.net/.well-known/oauth3/#/
https://smithfam.net/.well-known/oauth3/#/
?action=directives
?action=directives
& state=< < state > >
& state={state}
& redirect_uri=< < encodeURIComponent ( " https: / / azp . tld / . well-known / oauth3 / callback . html # / " ) > >
& redirect_uri={encodeURIComponent("https://azp.tld/.well-known/oauth3/callback.html#/")}
& response_type=rpc
& response_type=rpc
& _method=GET
& _method=GET
& _pathname=< < encodeURIComponent ( " . well-known / oauth3 / directives . json " ) > >
& _pathname={encodeURIComponent(".well-known/oauth3/directives.json")}
& debug=false
& debug=false
```
```
@ -209,9 +209,9 @@ The `redirect_uri` in our example was specified as `https://azp.tld/.well-known/
```
```
https://azp.tld/.well-known/oauth3/callback.html#/
https://azp.tld/.well-known/oauth3/callback.html#/
?state=< < params.state > >
?state={params.state}
& directives=< < OAUTH3._base64.encodeUrlSafe ( JSON . stringify ( directives ) ) > >
& directives={OAUTH3._base64.encodeUrlSafe(JSON.stringify(directives))}
& debug=< < params.debug > >
& debug={params.debug}
```
```
This url replaces the current window (currently loaded at the discovery url).
This url replaces the current window (currently loaded at the discovery url).
@ -279,14 +279,14 @@ Example **authorization dialog** url (using the example above):
https://smithfam.net/#/authorization_dialog/
https://smithfam.net/#/authorization_dialog/
?response_type=token
?response_type=token
& scope=authn@oauth3.org
& scope=authn@oauth3.org
& state=< < OAUTH3.utils.randomState ( ) > >
& state={OAUTH3.utils.randomState()}
& client_uri=azp.tld
& client_uri=azp.tld
& client_id=azp.tld
& client_id=azp.tld
& subject=jane@smithfam.net
& subject=jane@smithfam.net
& jwk_kty=< < EC > >
& jwk_kty={EC}
& jwk_kid=< < thumbprint of key > >
& jwk_kid={thumbprint of key}
& jwk_XXX=< < property XXX of jwk > >
& jwk_XXX={property XXX of jwk}
& redirect_uri=< < encodeURIComponent ( ' https: / / azp . tld / . well-known / oauth3 / callback . html ' ) > >
& redirect_uri={encodeURIComponent('https://azp.tld/.well-known/oauth3/callback.html')}
& debug=false
& debug=false
```
```
@ -324,12 +324,12 @@ In the reference implementation the user is sent an email with a login code or t
A JWT (token) with the following properties will be generated:
A JWT (token) with the following properties will be generated:
```
```
{ "jti": "< < nonce > > "
{ "jti": "{nonce} "
, "iat": < < issued at unix timestamp in seconds > >
, "iat": {issued at unix timestamp in seconds}
, "amr": "pwd@oauth3.org"
, "amr": "pwd@oauth3.org"
, "laa": < < last authentication at unix timestamp in seconds > >
, "laa": {last authentication at unix timestamp in seconds}
, "exp": < < expiry unix timestamp in seconds > >
, "exp": {expiry unix timestamp in seconds}
, "sub": "< < psuedonymous pairwise identifier > > "
, "sub": "{psuedonymous pairwise identifier} "
, "iss": "smithfam.net"
, "iss": "smithfam.net"
, "azp": "azp.tld"
, "azp": "azp.tld"
, "aud": "azp.tld"
, "aud": "azp.tld"
@ -346,12 +346,12 @@ The token will be passed back to the application in the following form:
```
```
https://azp.tld/.well-known/oauth3/callback.html#/
https://azp.tld/.well-known/oauth3/callback.html#/
?access_token=< < token > >
?access_token={token}
& token_type=< < Bearer > >
& token_type={Bearer}
& refresh_token=< < refresh_token > >
& refresh_token={refresh_token}
& expires_in=< < token.exp - now > >
& expires_in={token.exp - now}
& scope=< < token.scp > >
& scope={token.scp}
& state=< < params.state > >
& state={params.state}
& debug=false
& debug=false
```
```