RFC 9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
The newly published “JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens” (RFC 9068) is a valuable standards reference for our use of JWTs with OAuth for interoperable, least-privilege resource access in scientific collaborations. RFC 9068 includes guidance about issuing the “aud”, “scope”, “groups”, “roles”, and “entitlements” claims, about using the “resource” parameter in requests, and about validating tokens. It also addresses important security and privacy considerations. Work is already underway to align existing SciTokens and WLCG profiles with this new standard.