data-security icon indicating copy to clipboard operation
data-security copied to clipboard

Published 20 hours ago verified publisher icon ga4gh

Claims in embedded access tokens

Open mikael-linden opened this issue 5 years ago • 1 comments

Section "Conformance for Brokers" of the AAI spec says

"Access tokens do not contain GA4GH Claims directly in the access token."

However, section "Embedded Access Token Format" says

"The payload claims MAY contain at least one GA4GH Claim ()."

I understand that the intention is that a Broker may decide to embed an upstream broker's access token to a downstream passport. Therefore, the spec would be more consistent if claims would be excluded from embedded access tokens, too.

mikael-linden avatar Oct 15 '19 12:10 mikael-linden

Wait was this addressed before we ratified?

davidbernick avatar Feb 24 '20 02:02 davidbernick

The second statement mentioned is not present in version 1.2, and the first statement has been strengthened to say MUST NOT ratehr than do not.

TomConner avatar Oct 02 '24 23:10 TomConner