<?xml version='1.0' encoding='utf-8'?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" category="std" consensus="true" docName="draft-ietf-oauth-token-exchange-19" indexInclude="true" ipr="trust200902" number="8693" prepTime="2020-01-15T14:45:58" scripts="Common,Latin" sortRefs="true" submissionType="IETF" symRefs="true" tocDepth="4" tocInclude="true" xml:lang="en">
  <link href="https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange-19" rel="prev"/>
  <link href="https://dx.doi.org/10.17487/rfc8693" rel="alternate"/>
  <link href="urn:issn:2070-1721" rel="alternate"/>
  <front>
    <title abbrev="OAuth 2.0 Token Exchange">OAuth 2.0 Token Exchange</title>
    <seriesInfo name="RFC" value="8693" stream="IETF"/>
    <author fullname="Michael B. Jones" initials="M." surname="Jones">
      <organization showOnFrontPage="true">Microsoft</organization>
      <address>
        <email>mbj@microsoft.com</email>
        <uri>https://self-issued.info/</uri>
      </address>
    </author>
    <author fullname="Anthony Nadalin" initials="A." surname="Nadalin">
      <organization showOnFrontPage="true">Microsoft</organization>
      <address>
        <email>tonynad@microsoft.com</email>
      </address>
    </author>
    <author fullname="Brian Campbell" initials="B." surname="Campbell" role="editor">
      <organization showOnFrontPage="true">Ping Identity</organization>
      <address>
        <email>brian.d.campbell@gmail.com</email>
      </address>
    </author>
    <author fullname="John Bradley" initials="J." surname="Bradley">
      <organization showOnFrontPage="true">Yubico</organization>
      <address>
        <email>ve7jtb@ve7jtb.com</email>
      </address>
    </author>
    <author fullname="Chuck Mortimore" initials="C." surname="Mortimore">
      <organization abbrev="Visa" showOnFrontPage="true">Visa</organization>
      <address>
        <email>chuck.mortimore@visa.com</email>
      </address>
    </author>
    <date month="01" year="2020"/>
    <area>Security</area>
    <workgroup>OAuth Working Group</workgroup>
    <keyword>JSON Web Token</keyword>
    <keyword>JWT</keyword>
    <keyword>Delegation</keyword>
    <keyword>Impersonation</keyword>
    <keyword>STS</keyword>
    <keyword>Security Token Service</keyword>
    <keyword>Exchange</keyword>
    <keyword>Token</keyword>
    <keyword>OAuth</keyword>
    <abstract pn="section-abstract">
      <t pn="section-abstract-1">
	This specification defines a protocol for an HTTP- and JSON-based
	Security Token Service (STS) by defining how to request and obtain
	security tokens from OAuth 2.0 authorization servers,
	including security tokens employing impersonation and delegation.
      </t>
    </abstract>
    <boilerplate>
      <section anchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1">
        <name slugifiedName="name-status-of-this-memo">Status of This Memo</name>
        <t pn="section-boilerplate.1-1">
            This is an Internet Standards Track document.
        </t>
        <t pn="section-boilerplate.1-2">
            This document is a product of the Internet Engineering Task Force
            (IETF).  It represents the consensus of the IETF community.  It has
            received public review and has been approved for publication by
            the Internet Engineering Steering Group (IESG).  Further
            information on Internet Standards is available in Section 2 of 
            RFC 7841.
        </t>
        <t pn="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <eref target="https://www.rfc-editor.org/info/rfc8693" brackets="none"/>.
        </t>
      </section>
      <section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2">
        <name slugifiedName="name-copyright-notice">Copyright Notice</name>
        <t pn="section-boilerplate.2-1">
            Copyright (c) 2020 IETF Trust and the persons identified as the
            document authors. All rights reserved.
        </t>
        <t pn="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<eref target="https://trustee.ietf.org/license-info" brackets="none"/>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document. Code Components extracted from this
            document must include Simplified BSD License text as described in
            Section 4.e of the Trust Legal Provisions and are provided without
            warranty as described in the Simplified BSD License.
        </t>
      </section>
    </boilerplate>
    <toc>
      <section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" pn="section-toc.1">
        <name slugifiedName="name-table-of-contents">Table of Contents</name>
        <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1">
          <li pn="section-toc.1-1.1">
            <t keepWithNext="true" pn="section-toc.1-1.1.1"><xref derivedContent="1" format="counter" sectionFormat="of" target="section-1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-introduction">Introduction</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.1.2">
              <li pn="section-toc.1-1.1.2.1">
                <t keepWithNext="true" pn="section-toc.1-1.1.2.1.1"><xref derivedContent="1.1" format="counter" sectionFormat="of" target="section-1.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-delegation-vs-impersonation">Delegation vs. Impersonation Semantics</xref></t>
              </li>
              <li pn="section-toc.1-1.1.2.2">
                <t keepWithNext="true" pn="section-toc.1-1.1.2.2.1"><xref derivedContent="1.2" format="counter" sectionFormat="of" target="section-1.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-requirements-notation-and-c">Requirements Notation and Conventions</xref></t>
              </li>
              <li pn="section-toc.1-1.1.2.3">
                <t keepWithNext="true" pn="section-toc.1-1.1.2.3.1"><xref derivedContent="1.3" format="counter" sectionFormat="of" target="section-1.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-terminology">Terminology</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.2">
            <t keepWithNext="true" pn="section-toc.1-1.2.1"><xref derivedContent="2" format="counter" sectionFormat="of" target="section-2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-token-exchange-request-and-">Token Exchange Request and Response</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.2.2">
              <li pn="section-toc.1-1.2.2.1">
                <t keepWithNext="true" pn="section-toc.1-1.2.2.1.1"><xref derivedContent="2.1" format="counter" sectionFormat="of" target="section-2.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-request">Request</xref></t>
                <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.2.2.1.2">
                  <li pn="section-toc.1-1.2.2.1.2.1">
                    <t keepWithNext="true" pn="section-toc.1-1.2.2.1.2.1.1"><xref derivedContent="2.1.1" format="counter" sectionFormat="of" target="section-2.1.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-relationship-between-resour">Relationship between Resource, Audience, and Scope</xref></t>
                  </li>
                </ul>
              </li>
              <li pn="section-toc.1-1.2.2.2">
                <t keepWithNext="true" pn="section-toc.1-1.2.2.2.1"><xref derivedContent="2.2" format="counter" sectionFormat="of" target="section-2.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-response">Response</xref></t>
                <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.2.2.2.2">
                  <li pn="section-toc.1-1.2.2.2.2.1">
                    <t keepWithNext="true" pn="section-toc.1-1.2.2.2.2.1.1"><xref derivedContent="2.2.1" format="counter" sectionFormat="of" target="section-2.2.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-successful-response">Successful Response</xref></t>
                  </li>
                  <li pn="section-toc.1-1.2.2.2.2.2">
                    <t keepWithNext="true" pn="section-toc.1-1.2.2.2.2.2.1"><xref derivedContent="2.2.2" format="counter" sectionFormat="of" target="section-2.2.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-error-response">Error Response</xref></t>
                  </li>
                </ul>
              </li>
              <li pn="section-toc.1-1.2.2.3">
                <t keepWithNext="true" pn="section-toc.1-1.2.2.3.1"><xref derivedContent="2.3" format="counter" sectionFormat="of" target="section-2.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-example-token-exchange">Example Token Exchange</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.3">
            <t keepWithNext="true" pn="section-toc.1-1.3.1"><xref derivedContent="3" format="counter" sectionFormat="of" target="section-3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-token-type-identifiers">Token Type Identifiers</xref></t>
          </li>
          <li pn="section-toc.1-1.4">
            <t keepWithNext="true" pn="section-toc.1-1.4.1"><xref derivedContent="4" format="counter" sectionFormat="of" target="section-4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-json-web-token-claims-and-i">JSON Web Token Claims and Introspection Response Parameters</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.4.2">
              <li pn="section-toc.1-1.4.2.1">
                <t keepWithNext="true" pn="section-toc.1-1.4.2.1.1"><xref derivedContent="4.1" format="counter" sectionFormat="of" target="section-4.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-act-actor-claim">"act" (Actor) Claim</xref></t>
              </li>
              <li pn="section-toc.1-1.4.2.2">
                <t keepWithNext="true" pn="section-toc.1-1.4.2.2.1"><xref derivedContent="4.2" format="counter" sectionFormat="of" target="section-4.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-scope-scopes-claim">"scope" (Scopes) Claim</xref></t>
              </li>
              <li pn="section-toc.1-1.4.2.3">
                <t keepWithNext="true" pn="section-toc.1-1.4.2.3.1"><xref derivedContent="4.3" format="counter" sectionFormat="of" target="section-4.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-client_id-client-identifier">"client_id" (Client Identifier) Claim</xref></t>
              </li>
              <li pn="section-toc.1-1.4.2.4">
                <t keepWithNext="true" pn="section-toc.1-1.4.2.4.1"><xref derivedContent="4.4" format="counter" sectionFormat="of" target="section-4.4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-may_act-authorized-actor-cl">"may_act" (Authorized Actor) Claim</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.5">
            <t keepWithNext="true" pn="section-toc.1-1.5.1"><xref derivedContent="5" format="counter" sectionFormat="of" target="section-5"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-security-considerations">Security Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.6">
            <t keepWithNext="true" pn="section-toc.1-1.6.1"><xref derivedContent="6" format="counter" sectionFormat="of" target="section-6"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-privacy-considerations">Privacy Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.7">
            <t keepWithNext="true" pn="section-toc.1-1.7.1"><xref derivedContent="7" format="counter" sectionFormat="of" target="section-7"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-iana-considerations">IANA Considerations</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.7.2">
              <li pn="section-toc.1-1.7.2.1">
                <t keepWithNext="true" pn="section-toc.1-1.7.2.1.1"><xref derivedContent="7.1" format="counter" sectionFormat="of" target="section-7.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-oauth-uri-registration">OAuth URI Registration</xref></t>
              </li>
              <li pn="section-toc.1-1.7.2.2">
                <t keepWithNext="true" pn="section-toc.1-1.7.2.2.1"><xref derivedContent="7.2" format="counter" sectionFormat="of" target="section-7.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-oauth-parameters-registrati">OAuth Parameters Registration</xref></t>
              </li>
              <li pn="section-toc.1-1.7.2.3">
                <t keepWithNext="true" pn="section-toc.1-1.7.2.3.1"><xref derivedContent="7.3" format="counter" sectionFormat="of" target="section-7.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-oauth-access-token-type-reg">OAuth Access Token Type Registration</xref></t>
              </li>
              <li pn="section-toc.1-1.7.2.4">
                <t keepWithNext="true" pn="section-toc.1-1.7.2.4.1"><xref derivedContent="7.4" format="counter" sectionFormat="of" target="section-7.4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-json-web-token-claims-regis">JSON Web Token Claims Registration</xref></t>
              </li>
              <li pn="section-toc.1-1.7.2.5">
                <t keepWithNext="true" pn="section-toc.1-1.7.2.5.1"><xref derivedContent="7.5" format="counter" sectionFormat="of" target="section-7.5"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-oauth-token-introspection-r">OAuth Token Introspection Response Registration</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.8">
            <t keepWithNext="true" pn="section-toc.1-1.8.1"><xref derivedContent="8" format="counter" sectionFormat="of" target="section-8"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-references">References</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.8.2">
              <li pn="section-toc.1-1.8.2.1">
                <t keepWithNext="true" pn="section-toc.1-1.8.2.1.1"><xref derivedContent="8.1" format="counter" sectionFormat="of" target="section-8.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-normative-references">Normative References</xref></t>
              </li>
              <li pn="section-toc.1-1.8.2.2">
                <t keepWithNext="true" pn="section-toc.1-1.8.2.2.1"><xref derivedContent="8.2" format="counter" sectionFormat="of" target="section-8.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-informative-references">Informative References</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.9">
            <t keepWithNext="true" pn="section-toc.1-1.9.1"><xref derivedContent="Appendix A" format="default" sectionFormat="of" target="section-appendix.a"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-additional-token-exchange-e">Additional Token Exchange Examples</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.9.2">
              <li pn="section-toc.1-1.9.2.1">
                <t keepWithNext="true" pn="section-toc.1-1.9.2.1.1"><xref derivedContent="A.1" format="counter" sectionFormat="of" target="section-a.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-impersonation-token-exchang">Impersonation Token Exchange Example</xref></t>
                <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.9.2.1.2">
                  <li pn="section-toc.1-1.9.2.1.2.1">
                    <t keepWithNext="true" pn="section-toc.1-1.9.2.1.2.1.1"><xref derivedContent="A.1.1" format="counter" sectionFormat="of" target="section-a.1.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-token-exchange-request-2">Token Exchange Request</xref></t>
                  </li>
                  <li pn="section-toc.1-1.9.2.1.2.2">
                    <t keepWithNext="true" pn="section-toc.1-1.9.2.1.2.2.1"><xref derivedContent="A.1.2" format="counter" sectionFormat="of" target="section-a.1.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-subject-token-claims">Subject Token Claims</xref></t>
                  </li>
                  <li pn="section-toc.1-1.9.2.1.2.3">
                    <t keepWithNext="true" pn="section-toc.1-1.9.2.1.2.3.1"><xref derivedContent="A.1.3" format="counter" sectionFormat="of" target="section-a.1.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-token-exchange-response-2">Token Exchange Response</xref></t>
                  </li>
                  <li pn="section-toc.1-1.9.2.1.2.4">
                    <t keepWithNext="true" pn="section-toc.1-1.9.2.1.2.4.1"><xref derivedContent="A.1.4" format="counter" sectionFormat="of" target="section-a.1.4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-issued-token-claims">Issued Token Claims</xref></t>
                  </li>
                </ul>
              </li>
              <li pn="section-toc.1-1.9.2.2">
                <t keepWithNext="true" pn="section-toc.1-1.9.2.2.1"><xref derivedContent="A.2" format="counter" sectionFormat="of" target="section-a.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-delegation-token-exchange-e">Delegation Token Exchange Example</xref></t>
                <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.9.2.2.2">
                  <li pn="section-toc.1-1.9.2.2.2.1">
                    <t keepWithNext="true" pn="section-toc.1-1.9.2.2.2.1.1"><xref derivedContent="A.2.1" format="counter" sectionFormat="of" target="section-a.2.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-token-exchange-request-4">Token Exchange Request</xref></t>
                  </li>
                  <li pn="section-toc.1-1.9.2.2.2.2">
                    <t keepWithNext="true" pn="section-toc.1-1.9.2.2.2.2.1"><xref derivedContent="A.2.2" format="counter" sectionFormat="of" target="section-a.2.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-subject-token-claims-3">Subject Token Claims</xref></t>
                  </li>
                  <li pn="section-toc.1-1.9.2.2.2.3">
                    <t keepWithNext="true" pn="section-toc.1-1.9.2.2.2.3.1"><xref derivedContent="A.2.3" format="counter" sectionFormat="of" target="section-a.2.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-actor-token-claims">Actor Token Claims</xref></t>
                  </li>
                  <li pn="section-toc.1-1.9.2.2.2.4">
                    <t keepWithNext="true" pn="section-toc.1-1.9.2.2.2.4.1"><xref derivedContent="A.2.4" format="counter" sectionFormat="of" target="section-a.2.4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-token-exchange-response-4">Token Exchange Response</xref></t>
                  </li>
                  <li pn="section-toc.1-1.9.2.2.2.5">
                    <t keepWithNext="true" pn="section-toc.1-1.9.2.2.2.5.1"><xref derivedContent="A.2.5" format="counter" sectionFormat="of" target="section-a.2.5"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-issued-token-claims-3">Issued Token Claims</xref></t>
                  </li>
                </ul>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.10">
            <t keepWithNext="true" pn="section-toc.1-1.10.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.b"/><xref derivedContent="" format="title" sectionFormat="of" target="name-acknowledgements">Acknowledgements</xref></t>
          </li>
          <li pn="section-toc.1-1.11">
            <t keepWithNext="true" pn="section-toc.1-1.11.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.c"/><xref derivedContent="" format="title" sectionFormat="of" target="name-authors-addresses">Authors' Addresses</xref></t>
          </li>
        </ul>
      </section>
    </toc>
  </front>
  <middle>
    <section anchor="Introduction" numbered="true" toc="include" removeInRFC="false" pn="section-1">
      <name slugifiedName="name-introduction">Introduction</name>
      <t pn="section-1-1">
  A security token is a set of information that facilitates the sharing of
  identity and security information in heterogeneous environments or across
  security domains.  Examples of security tokens include JSON Web Tokens
  (JWTs) <xref target="RFC7519" format="default" sectionFormat="of" derivedContent="JWT"/> and Security Assertion Markup Language (SAML)
  2.0 assertions <xref target="OASIS.saml-core-2.0-os" format="default" sectionFormat="of" derivedContent="OASIS.saml-core-2.0-os"/>.  Security tokens are
  typically signed to achieve integrity and sometimes also encrypted to
  achieve confidentiality.  Security tokens are also sometimes described as
  assertions, such as in <xref target="RFC7521" format="default" sectionFormat="of" derivedContent="RFC7521"/>.
</t>
      <t pn="section-1-2">
  A Security Token Service (STS) is a service capable of validating
  security tokens provided to it and issuing new security tokens in
  response, which enables clients to obtain appropriate
  access credentials for resources in heterogeneous environments or across security
  domains.
  Web Service clients have used WS-Trust <xref target="WS-Trust" format="default" sectionFormat="of" derivedContent="WS-Trust"/>
  as the protocol to interact with an STS for token exchange.
  While WS-Trust
  uses XML and SOAP, the trend in modern Web development
  has been towards RESTful (Representational State Transfer) patterns and JSON.
  The OAuth 2.0 Authorization Framework <xref target="RFC6749" format="default" sectionFormat="of" derivedContent="RFC6749"/>
  and OAuth 2.0 Bearer Tokens <xref target="RFC6750" format="default" sectionFormat="of" derivedContent="RFC6750"/>
  have emerged as popular standards for authorizing third-party
  applications' access to HTTP and RESTful resources.
  The conventional OAuth 2.0 interaction involves the exchange of some
  representation of resource owner authorization for an access token,
  which has proven to be an extremely useful pattern in practice. However,
  its input and output are somewhat too constrained as is to fully
  accommodate a security token exchange framework.
</t>
      <t pn="section-1-3">
  This specification defines a protocol extending OAuth 2.0 that enables
  clients to request and obtain security tokens from authorization servers acting in
  the role of an STS.
  Similar to OAuth 2.0, this specification focuses on client developer simplicity and
  requires only an HTTP client and JSON parser, which are nearly universally available
  in modern development environments. The STS protocol defined in this specification
  is not itself RESTful (an STS doesn't lend itself particularly well to a REST
  approach) but does utilize communication patterns and data formats that should be
  familiar to developers accustomed to working with RESTful systems.
</t>
      <t pn="section-1-4">
  A new grant type for a token exchange request and the associated specific parameters for
  such a request to the token endpoint are defined by this specification.
  A token exchange response is a normal OAuth 2.0 response from the token endpoint
  with a few additional parameters defined herein to provide information to the client.
</t>
      <t pn="section-1-5">
  The entity that makes the request to exchange tokens is considered the client in the
  context of the token exchange interaction. However, that does not restrict
  usage of this profile to traditional OAuth clients. An OAuth resource server, for example, might assume
  the role of the client during token exchange in order to trade an
  access token that it received in a protected resource request for
  a new token that is appropriate to include in a call to a backend
  service. The new token might be an access token that is more
  narrowly scoped for the downstream service or it could be an entirely different kind
  of token.
</t>
      <t pn="section-1-6">
  The scope of this specification is limited to the definition of a
  basic request-and-response protocol for an STS-style token exchange utilizing OAuth 2.0.
  Although a few new JWT claims are defined that enable delegation semantics to be expressed,
  the specific syntax, semantics, and security characteristics of the tokens themselves
  (both those presented to the authorization server and those obtained by the client)
  are explicitly out of scope, and no requirements are placed on the trust model in
  which an implementation might be deployed. Additional profiles may provide
  more detailed requirements around the specific nature of the parties and trust involved,
  such as whether signing and/or encryption of tokens is needed or if proof-of-possession-style
  tokens will be required or issued. However, such details
  will often be policy decisions made with respect to the specific needs of individual
  deployments and will be configured or implemented accordingly.
</t>
      <t pn="section-1-7">
  The security tokens obtained may be used in a number of contexts,
  the specifics of which are also beyond the scope of this specification.
</t>
      <section anchor="DelegationImpersonation" numbered="true" toc="include" removeInRFC="false" pn="section-1.1">
        <name slugifiedName="name-delegation-vs-impersonation">Delegation vs. Impersonation Semantics</name>
        <t pn="section-1.1-1">
    One common use case for an STS (as alluded to in the previous section)
    is to allow a resource server A to make calls to a backend service C on
    behalf of the requesting user B.  Depending on the local site policy and
    authorization infrastructure, it may be desirable for A to use its own
    credentials to access C along with an annotation of some form that A is
    acting on behalf of B ("delegation") or for A to be granted a limited access
    credential to C but that continues to identify B as the authorized
    entity ("impersonation").  Delegation and impersonation can be useful
    concepts in other scenarios involving multiple participants as well.
        </t>
        <t pn="section-1.1-2">
    When principal A impersonates principal B, A is given all
    the rights that B has within some defined rights context
    and is indistinguishable from B in that context.
    Thus, when principal A impersonates principal B, then insofar
    as any entity receiving such a token is concerned, they are
    actually dealing with B. It is true that some members of the
    identity system might have awareness that impersonation is
    going on, but it is not a requirement.
    For all intents and purposes, when A is impersonating B, A is B within the
    context of the rights authorized by the token. A's ability to impersonate B could
    be limited in scope or time, or even with a one-time-use restriction,
    whether via the contents of the token or an out-of-band mechanism.
        </t>
        <t pn="section-1.1-3">
    Delegation semantics are different than
    impersonation semantics, though the two are closely related.
    With delegation semantics, principal A still has its own identity
    separate from B, and it is explicitly understood that while B
    may have delegated some of its rights to A, any actions taken are
    being taken by A representing B. In a sense, A is an agent for B.
        </t>
        <t pn="section-1.1-4">
    Delegation and impersonation are not inclusive of all situations.
    When a principal is acting directly on its own behalf, for example,
    neither delegation nor impersonation are in play. They are, however,
    the more common semantics operating for token exchange and, as such, are
    given more direct treatment in this specification.
        </t>
        <t pn="section-1.1-5">
    Delegation semantics are typically expressed in a token by including information about both the
    primary subject of the token as well as the actor to whom that subject has delegated some of its rights.
    Such a token is sometimes referred to as a composite token because it is composed of information
    about multiple subjects. Typically, in the request, the <tt>subject_token</tt>
    represents the identity of the party on
    behalf of whom the token is being requested while the <tt>actor_token</tt> represents
    the identity of the party to whom the access rights of the issued token are being delegated.
    A composite token issued by the authorization server will contain information about both parties.
    When and if a composite token is issued is at the discretion of the authorization server and
    applicable policy and configuration.
        </t>
        <t pn="section-1.1-6">
    The specifics of representing a composite token and even whether or not
    such a token will be issued depend on the details of the implementation
    and the kind of token.  The representations of composite tokens that are
    not JWTs are beyond the scope of this specification.  The <tt>actor_token</tt> request parameter, however, does provide
    a means for providing information about the desired actor, and the JWT
    <tt>act</tt> claim can provide a representation of a
    chain of delegation.
        </t>
      </section>
      <section anchor="RNC" numbered="true" toc="include" removeInRFC="false" pn="section-1.2">
        <name slugifiedName="name-requirements-notation-and-c">Requirements Notation and Conventions</name>
        <t pn="section-1.2-1">
    The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
    described in BCP 14 <xref target="RFC2119" format="default" sectionFormat="of" derivedContent="RFC2119"/> <xref target="RFC8174" format="default" sectionFormat="of" derivedContent="RFC8174"/> 
    when, and only when, they appear in all capitals, as shown here.
        </t>
      </section>
      <section anchor="Terminology" numbered="true" toc="include" removeInRFC="false" pn="section-1.3">
        <name slugifiedName="name-terminology">Terminology</name>
        <t pn="section-1.3-1">
	  This specification uses the terms
	  "access token type", "authorization server", "client", "client identifier",
	  "resource server", "token endpoint", "token request", and "token response"
	  defined by OAuth 2.0 <xref target="RFC6749" format="default" sectionFormat="of" derivedContent="RFC6749"/>,
	  and the terms "Base64url Encoding", "Claim", and "JWT Claims Set" defined by
	  JSON Web Token (JWT) <xref target="RFC7519" format="default" sectionFormat="of" derivedContent="JWT"/>.
        </t>
      </section>
    </section>
    <section anchor="Messages" numbered="true" toc="include" removeInRFC="false" pn="section-2">
      <name slugifiedName="name-token-exchange-request-and-">Token Exchange Request and Response</name>
      <section anchor="Request" numbered="true" toc="include" removeInRFC="false" pn="section-2.1">
        <name slugifiedName="name-request">Request</name>
        <t pn="section-2.1-1">
  A client requests a security token by making a token request to the authorization
  server's token endpoint using the extension grant type mechanism defined
  in <xref target="RFC6749" sectionFormat="of" section="4.5" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6749#section-4.5" derivedContent="RFC6749"/>.
</t>
        <t pn="section-2.1-2">
  Client authentication to the authorization server is done using the normal
  mechanisms provided by OAuth 2.0.
  <xref target="RFC6749" sectionFormat="of" section="2.3.1" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6749#section-2.3.1" derivedContent="RFC6749"/>
  defines password-based authentication of the client,
  however, client authentication is extensible and other mechanisms are possible.
  For example, <xref target="RFC7523" format="default" sectionFormat="of" derivedContent="RFC7523"/> defines client authentication using bearer
  JSON Web Tokens (JWTs) <xref target="RFC7519" format="default" sectionFormat="of" derivedContent="JWT"/>.
  The supported methods of client authentication and whether or not to allow
  unauthenticated or unidentified clients are deployment decisions that are
  at the discretion of the authorization server.
  Note that omitting client authentication allows
  for a compromised token to be leveraged via an STS into other tokens by
  anyone possessing the compromised token. Thus, client
  authentication allows for additional authorization checks by the STS as to which
  entities are permitted to impersonate or receive delegations from other
  entities.
</t>
        <t pn="section-2.1-3">
  The client makes a token exchange request to the token endpoint with an extension
  grant type using the HTTP <tt>POST</tt> method. The
  following parameters are included in the HTTP request entity-body
  using the <tt>application/x-www-form-urlencoded</tt>
  format with a character encoding of UTF-8 as described in
  <xref target="RFC6749" sectionFormat="of" section="B" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6749#appendix-B" derivedContent="RFC6749"/>.
</t>
        <dl newline="true" spacing="normal" pn="section-2.1-4">
          <dt pn="section-2.1-4.1">grant_type</dt>
          <dd pn="section-2.1-4.2">
            <bcp14>REQUIRED</bcp14>. The value
    <tt>urn:ietf:params:oauth:grant-type:token-exchange</tt>
    indicates that a token exchange is being performed.
  </dd>
          <dt pn="section-2.1-4.3">resource</dt>
          <dd pn="section-2.1-4.4">
            <bcp14>OPTIONAL</bcp14>.
    A URI that indicates the target service or resource where the client intends to use
    the requested security token. This enables the authorization server to apply policy as appropriate
    for the target, such as determining the type and content of the token to be issued or if and how
    the token is to be encrypted.
    In many cases, a client will not have knowledge of the logical organization of the systems with
    which it interacts and will only know a URI of the service where it intends to use the token.
    The <tt>resource</tt> parameter allows the client to indicate to the authorization server
    where it intends to use the issued token by providing the location, typically as an https URL, in the
    token exchange request in the same form that will be used to access that resource.
    The authorization server will typically have the capability to map from a resource URI value to
    an appropriate policy. The value of the <tt>resource</tt> parameter <bcp14>MUST</bcp14> be an
    absolute URI, as specified by <xref target="RFC3986" sectionFormat="of" section="4.3" format="default" derivedLink="https://rfc-editor.org/rfc/rfc3986#section-4.3" derivedContent="RFC3986"/>,
    that <bcp14>MAY</bcp14> include a query component and <bcp14>MUST NOT</bcp14> include a fragment component.
    Multiple <tt>resource</tt> parameters may be used to indicate
    that the issued token is intended to be used at the multiple resources listed.
    See <xref target="I-D.ietf-oauth-resource-indicators" format="default" sectionFormat="of" derivedContent="OAUTH-RESOURCE"/> for additional
    background and uses of the <tt>resource</tt> parameter.
  </dd>
          <dt pn="section-2.1-4.5">audience</dt>
          <dd pn="section-2.1-4.6">
            <bcp14>OPTIONAL</bcp14>.  The logical name of the target service where the client intends
    to use the requested security token. This serves a purpose similar to the
    <tt>resource</tt> parameter but with the client
    providing a logical name for the target service. Interpretation of the
    name requires that the value be something that both the client and the
    authorization server understand. An OAuth client identifier, a SAML entity
    identifier <xref target="OASIS.saml-core-2.0-os" format="default" sectionFormat="of" derivedContent="OASIS.saml-core-2.0-os"/>, and an OpenID Connect
    Issuer Identifier <xref target="OpenID.Core" format="default" sectionFormat="of" derivedContent="OpenID.Core"/> are examples of things that
    might be used as <tt>audience</tt> parameter values.
    However, <tt>audience</tt> values used with a given
    authorization server must be unique within that server to ensure that
    they are properly interpreted as the intended type of value.  Multiple
    <tt>audience</tt> parameters may be used to indicate
    that the issued token is intended to be used at the multiple audiences
    listed.  The <tt>audience</tt> and <tt>resource</tt> parameters may be used together to indicate
    multiple target services with a mix of logical names and resource URIs.
  </dd>
          <dt pn="section-2.1-4.7">scope</dt>
          <dd pn="section-2.1-4.8">
            <bcp14>OPTIONAL</bcp14>.  A list of space-delimited, case-sensitive
    strings, as defined in <xref target="RFC6749" sectionFormat="of" section="3.3" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6749#section-3.3" derivedContent="RFC6749"/>, that allow the client to specify the desired scope of
    the requested security token in the context of the service or resource
    where the token will be used. The values and associated semantics of scope
    are service specific and expected to be described in the relevant service
    documentation.</dd>
          <dt pn="section-2.1-4.9">requested_token_type</dt>
          <dd pn="section-2.1-4.10">
            <bcp14>OPTIONAL</bcp14>.
    An identifier, as described in <xref target="TokenTypeIdentifiers" format="default" sectionFormat="of" derivedContent="Section 3"/>, for the type of the requested security token.
    If the requested type is unspecified, the issued token type is at
    the discretion of the authorization server and may be dictated by
    knowledge of the requirements of the service or resource
    indicated by the <tt>resource</tt> or
    <tt>audience</tt> parameter.
  </dd>
          <dt pn="section-2.1-4.11">subject_token</dt>
          <dd pn="section-2.1-4.12">
            <bcp14>REQUIRED</bcp14>.
    A security token that represents the
    identity of the party on behalf of whom the request is being made.
    Typically, the subject of this token will be the subject of
    the security token issued in response to the request.
  </dd>
          <dt pn="section-2.1-4.13">subject_token_type</dt>
          <dd pn="section-2.1-4.14">
            <bcp14>REQUIRED</bcp14>.
    An identifier, as described in <xref target="TokenTypeIdentifiers" format="default" sectionFormat="of" derivedContent="Section 3"/>, that indicates the type of the security token in
    the <tt>subject_token</tt> parameter.
  </dd>
          <dt pn="section-2.1-4.15">actor_token</dt>
          <dd pn="section-2.1-4.16">
            <bcp14>OPTIONAL</bcp14>.
    A security token that represents
    the identity of the acting party. Typically, this will be the party that is authorized to use the requested security token and act on behalf of the subject.
  </dd>
          <dt pn="section-2.1-4.17">actor_token_type</dt>
          <dd pn="section-2.1-4.18">
    An identifier, as described in <xref target="TokenTypeIdentifiers" format="default" sectionFormat="of" derivedContent="Section 3"/>, that indicates the type of the security token in the
    <tt>actor_token</tt> parameter.
    This is <bcp14>REQUIRED</bcp14> when the <tt>actor_token</tt> parameter
    is present in the request but <bcp14>MUST NOT</bcp14> be included otherwise.
  </dd>
        </dl>
        <t pn="section-2.1-5">
  In processing the request, the authorization server <bcp14>MUST</bcp14> perform the appropriate validation procedures for the indicated token
  type and, if the actor token is present, also
  perform the appropriate validation procedures for its indicated token type.
  The validity criteria and details of any particular token are beyond the scope of
  this document and are specific to the respective type of token and its content.
</t>
        <t pn="section-2.1-6">
  In the absence of one-time-use or other semantics specific to the token type, the act of performing
  a token exchange has no impact on the validity of the subject token or actor token.
  Furthermore, the exchange is a one-time event and does not create a tight linkage
  between the input and output tokens, so that (for example) while the expiration
  time of the output token may be influenced by that of the input token,
  renewal or extension of the input token is not expected to be reflected in
  the output token's properties.  It may still be appropriate or desirable to propagate
  token-revocation events. However, doing so is not a general property of the STS
  protocol and would be specific to a particular implementation, token type, or deployment.
</t>
        <section numbered="true" toc="include" removeInRFC="false" pn="section-2.1.1">
          <name slugifiedName="name-relationship-between-resour">Relationship between Resource, Audience, and Scope</name>
          <t pn="section-2.1.1-1">
          When requesting a token, the client can indicate the desired target
          service(s) where it intends to use that token by way of the <tt>audience</tt> and <tt>resource</tt> parameters as well as indicate the
          desired scope of the requested token using the <tt>scope</tt> parameter.

          The semantics of such a request are that the client is asking for a token with the requested
          scope that is usable at all the requested target services. Effectively, the requested access rights of
          the token are the Cartesian product of all the scopes at all the target services.
          </t>
          <t pn="section-2.1.1-2">
          An authorization server may be unwilling or unable to fulfill any token request, but the likelihood
          of an unfulfillable request is significantly higher when very broad access rights are being solicited.
          As such, in the absence of specific knowledge about the relationship of systems in a deployment,
          clients should exercise discretion in the breadth of the access requested, particularly the
          number of target services. An authorization server can use the <tt>invalid_target</tt>
          error code, defined in <xref target="ErrorResponse" format="default" sectionFormat="of" derivedContent="Section 2.2.2"/>, to inform a client that it requested access to
          too many target services simultaneously.
          </t>
        </section>
      </section>
      <section anchor="Response" numbered="true" toc="include" removeInRFC="false" pn="section-2.2">
        <name slugifiedName="name-response">Response</name>
        <t pn="section-2.2-1">
  The authorization server responds to a token exchange request with a normal
  OAuth 2.0 response from the token endpoint, as specified in
  <xref target="RFC6749" sectionFormat="of" section="5" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6749#section-5" derivedContent="RFC6749"/>. Additional details and
  explanation are provided in the following subsections.
</t>
        <section anchor="SuccessfulResponse" numbered="true" toc="include" removeInRFC="false" pn="section-2.2.1">
          <name slugifiedName="name-successful-response">Successful Response</name>
          <t pn="section-2.2.1-1">
  If the request is valid and meets all policy and other criteria of the authorization server,
  a successful token response is constructed by adding the following parameters
  to the entity-body of the HTTP response using the "application/json"
  media type, as specified by <xref target="RFC8259" format="default" sectionFormat="of" derivedContent="RFC8259"/>, and an HTTP 200 status code.  The
  parameters are serialized into a JavaScript Object Notation (JSON)
  structure by adding each parameter at the top level.
  Parameter names and string values are included as JSON strings.
  Numerical values are included as JSON numbers.  The order of
  parameters does not matter and can vary.
</t>
          <dl newline="true" spacing="normal" pn="section-2.2.1-2">
            <dt pn="section-2.2.1-2.1">access_token</dt>
            <dd pn="section-2.2.1-2.2">
              <bcp14>REQUIRED</bcp14>. The security token issued by the authorization server in response
  to the token exchange request.
  The <tt>access_token</tt> parameter from
  <xref target="RFC6749" sectionFormat="of" section="5.1" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6749#section-5.1" derivedContent="RFC6749"/> is used here to carry the requested
  token, which allows this token exchange protocol to use the existing OAuth 2.0 request
  and response constructs defined for the token endpoint.
  The identifier <tt>access_token</tt> is used for historical
  reasons and the issued token need not be an OAuth access token.
</dd>
            <dt pn="section-2.2.1-2.3">issued_token_type</dt>
            <dd pn="section-2.2.1-2.4">
              <bcp14>REQUIRED</bcp14>.  An identifier, as described in <xref target="TokenTypeIdentifiers" format="default" sectionFormat="of" derivedContent="Section 3"/>,
  for the representation of the issued security token.
</dd>
            <dt pn="section-2.2.1-2.5">token_type</dt>
            <dd pn="section-2.2.1-2.6">
              <bcp14>REQUIRED</bcp14>.  A case-insensitive value specifying the method of using the
  access token issued, as specified in <xref target="RFC6749" sectionFormat="of" section="7.1" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6749#section-7.1" derivedContent="RFC6749"/>.
  It provides the client with information about how to utilize the access
  token to access protected resources.  For example, a value of <tt>Bearer</tt>, as specified in <xref target="RFC6750" format="default" sectionFormat="of" derivedContent="RFC6750"/>,
  indicates that the issued security token is a bearer token and the client
  can simply present it as is without any additional proof of eligibility
  beyond the contents of the token itself.  Note that the meaning of this
  parameter is different from the meaning of the <tt>issued_token_type</tt> parameter, which declares the
  representation of the issued security token; the term "token type" is more
  typically used to mean the structural or syntactical representation of the security token, as it is in all <tt>*_token_type</tt> parameters in this specification.  If the
  issued token is not an access token or usable as an access token, then the
  <tt>token_type</tt> value <tt>N_A</tt>
  is used to indicate that an OAuth 2.0 <tt>token_type</tt>
  identifier is not applicable in that context.
</dd>
            <dt pn="section-2.2.1-2.7">expires_in</dt>
            <dd pn="section-2.2.1-2.8">
              <bcp14>RECOMMENDED</bcp14>.  The validity lifetime, in seconds, of the token issued by the
  authorization server. Oftentimes, the client will not have the inclination or capability
  to inspect the content of the token, and this parameter provides a consistent and token-type-agnostic
  indication of how long the token can be expected to be valid.
  For example, the value 1800 denotes that the token will
  expire in thirty minutes from the time the response was generated.
</dd>
            <dt pn="section-2.2.1-2.9">scope</dt>
            <dd pn="section-2.2.1-2.10">
              <bcp14>OPTIONAL</bcp14> if the scope of the issued security token is identical to the scope requested by the client;
  otherwise, it is <bcp14>REQUIRED</bcp14>.
</dd>
            <dt pn="section-2.2.1-2.11">refresh_token</dt>
            <dd pn="section-2.2.1-2.12">
              <bcp14>OPTIONAL</bcp14>.
  A refresh token will typically not be issued when the exchange is of one temporary
  credential (the subject_token) for a different temporary credential (the issued token)
  for use in some other context.
  A refresh token can be issued in cases where the client of the token exchange needs the
  ability to access a resource even when the original credential is no longer valid
  (e.g., user-not-present or offline scenarios where there is no longer any user entertaining
  an active session with the client).
  Profiles or deployments of this specification should clearly document the conditions
  under which a client should expect a refresh token in response to
  <tt>urn:ietf:params:oauth:grant-type:token-exchange</tt>
  grant type requests.
</dd>
          </dl>
        </section>
        <section anchor="ErrorResponse" numbered="true" toc="include" removeInRFC="false" pn="section-2.2.2">
          <name slugifiedName="name-error-response">Error Response</name>
          <t pn="section-2.2.2-1">
    If the request itself is not valid or if either the <tt>subject_token</tt> or <tt>actor_token</tt> are invalid for any reason, or are
    unacceptable based on policy, the authorization server <bcp14>MUST</bcp14> construct an
    error response, as specified in <xref target="RFC6749" sectionFormat="of" section="5.2" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6749#section-5.2" derivedContent="RFC6749"/>.
    The value of the <tt>error</tt> parameter <bcp14>MUST</bcp14> be the
    <tt>invalid_request</tt> error code.
          </t>
          <t pn="section-2.2.2-2">
    If the authorization server is unwilling or unable to issue a token for any target service
    indicated by the <tt>resource</tt> or <tt>audience</tt> parameters,
    the <tt>invalid_target</tt> error code <bcp14>SHOULD</bcp14> be used in the error response.
          </t>
          <t pn="section-2.2.2-3">
    The authorization
    server <bcp14>MAY</bcp14> include additional information regarding the reasons for the error
    using the <tt>error_description</tt> as discussed in <xref target="RFC6749" sectionFormat="of" section="5.2" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6749#section-5.2" derivedContent="RFC6749"/>.
          </t>
          <t pn="section-2.2.2-4">
    Other error codes may also be used, as appropriate.
          </t>
        </section>
      </section>
      <section anchor="MainExample" numbered="true" toc="include" removeInRFC="false" pn="section-2.3">
        <name slugifiedName="name-example-token-exchange">Example Token Exchange</name>
        <t pn="section-2.3-1">
  The following example demonstrates a hypothetical token exchange in which
  an OAuth resource server
  assumes the role of the client during the exchange. It
  trades an access token, which it received in a protected resource request, for a new
  token that it will use to call to a backend service
  (extra line breaks and indentation in the examples are for display purposes only).
</t>
        <t pn="section-2.3-2">
  <xref target="main-prr" format="default" sectionFormat="of" derivedContent="Figure 1"/> shows the resource server receiving a protected resource request containing
  an OAuth access token in the Authorization header, as specified in
  <xref target="RFC6750" sectionFormat="of" section="2.1" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6750#section-2.1" derivedContent="RFC6750"/>.
</t>
        <figure anchor="main-prr" align="left" suppress-title="false" pn="figure-1">
          <name slugifiedName="name-protected-resource-request">Protected Resource Request</name>
          <artwork name="" type="" align="left" alt="" pn="section-2.3-3.1">
 GET /resource HTTP/1.1
 Host: frontend.example.com
 Authorization: Bearer accVkjcJyb4BWCxGsndESCJQbdFMogUC5PbRDqceLTC
</artwork>
        </figure>
        <t pn="section-2.3-4">
  In <xref target="main-tereq" format="default" sectionFormat="of" derivedContent="Figure 2"/>, the resource server assumes the role of
  client for the token exchange, and the access token from the request in
  <xref target="main-prr" format="default" sectionFormat="of" derivedContent="Figure 1"/> is sent to the authorization server using a
  request as specified in <xref target="Request" format="default" sectionFormat="of" derivedContent="Section 2.1"/>.  The value of the <tt>subject_token</tt> parameter carries the access token, and
  the value of the <tt>subject_token_type</tt> parameter
  indicates that it is an OAuth 2.0 access token.  The resource server, acting
  in the role of the client, uses its identifier and secret to authenticate to
  the authorization server using the HTTP Basic authentication scheme.  The
  <tt>resource</tt> parameter indicates the location of the
  backend service, &lt;https://backend.example.com/api&gt;, where the issued token
  will be used.
</t>
        <figure anchor="main-tereq" align="left" suppress-title="false" pn="figure-2">
          <name slugifiedName="name-token-exchange-request">Token Exchange Request</name>
          <artwork name="" type="" align="left" alt="" pn="section-2.3-5.1">
 POST /as/token.oauth2 HTTP/1.1
 Host: as.example.com
 Authorization: Basic cnMwODpsb25nLXNlY3VyZS1yYW5kb20tc2VjcmV0
 Content-Type: application/x-www-form-urlencoded

 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
 &amp;resource=https%3A%2F%2Fbackend.example.com%2Fapi
 &amp;subject_token=accVkjcJyb4BWCxGsndESCJQbdFMogUC5PbRDqceLTC
 &amp;subject_token_type=
  urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token
</artwork>
        </figure>
        <t pn="section-2.3-6">
  The authorization server validates the client credentials and the
  <tt>subject_token</tt> presented in the token
  exchange request. From the <tt>resource</tt>
  parameter, the authorization server is able to determine the
  appropriate policy to apply to the request and issues a token
  suitable for use at &lt;https://backend.example.com&gt;.
  The <tt>access_token</tt> parameter of the
  response shown in <xref target="main-teresp" format="default" sectionFormat="of" derivedContent="Figure 3"/> contains the new token, which is itself a bearer OAuth
  access token that is valid for one minute. The token happens to be
  a JWT; however, its structure and format are opaque to
  the client, so the <tt>issued_token_type</tt>
  indicates only that it is an access token.
</t>
        <figure anchor="main-teresp" align="left" suppress-title="false" pn="figure-3">
          <name slugifiedName="name-token-exchange-response">Token Exchange Response</name>
          <artwork name="" type="" align="left" alt="" pn="section-2.3-7.1">
 HTTP/1.1 200 OK
 Content-Type: application/json
 Cache-Control: no-cache, no-store

 {
  "access_token":"eyJhbGciOiJFUzI1NiIsImtpZCI6IjllciJ9.eyJhdWQiOiJo
    dHRwczovL2JhY2tlbmQuZXhhbXBsZS5jb20iLCJpc3MiOiJodHRwczovL2FzLmV
    4YW1wbGUuY29tIiwiZXhwIjoxNDQxOTE3NTkzLCJpYXQiOjE0NDE5MTc1MzMsIn
    N1YiI6ImJkY0BleGFtcGxlLmNvbSIsInNjb3BlIjoiYXBpIn0.40y3ZgQedw6rx
    f59WlwHDD9jryFOr0_Wh3CGozQBihNBhnXEQgU85AI9x3KmsPottVMLPIWvmDCM
    y5-kdXjwhw",
  "issued_token_type":
      "urn:ietf:params:oauth:token-type:access_token",
  "token_type":"Bearer",
  "expires_in":60
 }
</artwork>
        </figure>
        <t pn="section-2.3-8">
  The resource server can then use the newly acquired access token in making
  a request to the backend server as illustrated in <xref target="main-beprr" format="default" sectionFormat="of" derivedContent="Figure 4"/>.
</t>
        <figure anchor="main-beprr" align="left" suppress-title="false" pn="figure-4">
          <name slugifiedName="name-backend-protected-resource-">Backend Protected Resource Request</name>
          <artwork name="" type="" align="left" alt="" pn="section-2.3-9.1">
 GET /api HTTP/1.1
 Host: backend.example.com
 Authorization: Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjllciJ9.eyJhdWQ
    iOiJodHRwczovL2JhY2tlbmQuZXhhbXBsZS5jb20iLCJpc3MiOiJodHRwczovL2
    FzLmV4YW1wbGUuY29tIiwiZXhwIjoxNDQxOTE3NTkzLCJpYXQiOjE0NDE5MTc1M
    zMsInN1YiI6ImJkY0BleGFtcGxlLmNvbSIsInNjb3BlIjoiYXBpIn0.40y3ZgQe
    dw6rxf59WlwHDD9jryFOr0_Wh3CGozQBihNBhnXEQgU85AI9x3KmsPottVMLPIW
    vmDCMy5-kdXjwhw
</artwork>
        </figure>
        <t pn="section-2.3-10">
    Additional examples can be found in <xref target="AdditionalExamples" format="default" sectionFormat="of" derivedContent="Appendix A"/>.
        </t>
      </section>
    </section>
    <section anchor="TokenTypeIdentifiers" numbered="true" toc="include" removeInRFC="false" pn="section-3">
      <name slugifiedName="name-token-type-identifiers">Token Type Identifiers</name>
      <t pn="section-3-1">
  Several parameters in this specification utilize an identifier as the value to
  describe the token in question.
  Specifically, they are the
  <tt>requested_token_type</tt>,
  <tt>subject_token_type</tt>, and <tt>actor_token_type</tt>
  parameters of the request and the <tt>issued_token_type</tt> member of the response.
  Token type identifiers are URIs.
  Token exchange can work with both tokens issued by other parties and tokens from
  the given authorization server. For the former, the token type identifier indicates
  the syntax (e.g., JWT or SAML 2.0) so the authorization server can parse it; for the latter, it indicates
  what the given authorization server issued it for (e.g., <tt>access_token</tt> or <tt>refresh_token</tt>).
</t>
      <t pn="section-3-2">
  The following token type identifiers are defined by this specification.
  Other URIs <bcp14>MAY</bcp14> be used to indicate other token types.
</t>
      <dl newline="true" spacing="normal" pn="section-3-3">
        <dt pn="section-3-3.1">urn:ietf:params:oauth:token-type:access_token</dt>
        <dd pn="section-3-3.2">
    Indicates that the token is an OAuth 2.0 access token issued by the given authorization server.
  </dd>
        <dt pn="section-3-3.3">urn:ietf:params:oauth:token-type:refresh_token</dt>
        <dd pn="section-3-3.4">
    Indicates that the token is an OAuth 2.0 refresh token issued by the given authorization server.
  </dd>
        <dt pn="section-3-3.5">urn:ietf:params:oauth:token-type:id_token</dt>
        <dd pn="section-3-3.6">
    Indicates that the token is an ID Token as defined in Section 2 of <xref target="OpenID.Core" format="default" sectionFormat="of" derivedContent="OpenID.Core"/>.
  </dd>
        <dt pn="section-3-3.7">urn:ietf:params:oauth:token-type:saml1</dt>
        <dd pn="section-3-3.8">
    Indicates that the token is a base64url-encoded SAML 1.1 <xref target="OASIS.saml-core-1.1" format="default" sectionFormat="of" derivedContent="OASIS.saml-core-1.1"/> assertion.
  </dd>
        <dt pn="section-3-3.9">urn:ietf:params:oauth:token-type:saml2</dt>
        <dd pn="section-3-3.10">
    Indicates that the token is a base64url-encoded SAML 2.0 <xref target="OASIS.saml-core-2.0-os" format="default" sectionFormat="of" derivedContent="OASIS.saml-core-2.0-os"/> assertion.
  </dd>
      </dl>
      <t pn="section-3-4">
  The value <tt>urn:ietf:params:oauth:token-type:jwt</tt>, which is defined in
  <xref target="RFC7519" sectionFormat="of" section="9" format="default" derivedLink="https://rfc-editor.org/rfc/rfc7519#section-9" derivedContent="JWT"/>, indicates that the token is a JWT.
</t>
      <t pn="section-3-5">
  The distinction between an access token and a JWT is subtle.
  An access token represents a delegated authorization decision, whereas JWT is a token format.
  An access token can be formatted as a JWT but doesn't necessarily have to be. And a
  JWT might well be an access token, but not all JWTs are access tokens.

  The intent of this specification is that <tt>urn:ietf:params:oauth:token-type:access_token</tt>
  be an indicator that the token is a typical OAuth access token issued by the authorization server in question, opaque to the client,
  and usable the same manner as any other access token obtained from that authorization server.
  (It could well be a JWT, but the client isn't and needn't be aware of that fact.)
  Whereas, <tt>urn:ietf:params:oauth:token-type:jwt</tt> is to indicate specifically that a JWT is
  being requested or sent (perhaps in a cross-domain use case where the JWT is used as an authorization grant to
  obtain an access token from a different authorization server as is facilitated by <xref target="RFC7523" format="default" sectionFormat="of" derivedContent="RFC7523"/>).
</t>
      <t pn="section-3-6">
  Note that for tokens that are binary in nature, the URI used for conveying them
  needs to be associated with the semantics of a base64 or other
  encoding suitable for usage with HTTP and OAuth.
</t>
    </section>
    <section anchor="JWTClaims" numbered="true" toc="include" removeInRFC="false" pn="section-4">
      <name slugifiedName="name-json-web-token-claims-and-i">JSON Web Token Claims and Introspection Response Parameters</name>
      <t pn="section-4-1">
   It is useful to have defined mechanisms to express delegation within a
   token as well as to express authorization to delegate or
   impersonate. Although the token exchange protocol described herein can be
   used with any type of token, this section defines claims to express such
   semantics specifically for JWTs and in an OAuth 2.0 Token Introspection <xref target="RFC7662" format="default" sectionFormat="of" derivedContent="RFC7662"/> response.  Similar
   definitions for other types of tokens are possible but beyond the scope of
   this specification.
      </t>
      <t pn="section-4-2">
   Note that the claims not established herein but used in examples and descriptions,
   such as <tt>iss</tt>, <tt>sub</tt>,
   <tt>exp</tt>, etc., are defined by <xref target="RFC7519" format="default" sectionFormat="of" derivedContent="JWT"/>.
      </t>
      <section anchor="actor" numbered="true" toc="include" removeInRFC="false" pn="section-4.1">
        <name slugifiedName="name-act-actor-claim">"act" (Actor) Claim</name>
        <t pn="section-4.1-1">
      The <tt>act</tt> (actor) claim provides a means
      within a JWT to express that delegation has occurred and identify the
      acting party to whom authority has been delegated.  The <tt>act</tt> claim value is a JSON object, and members in
      the JSON object are claims that identify the actor.  The claims that
      make up the <tt>act</tt> claim identify and possibly
      provide additional information about the actor.  For example, the
      combination of the two claims <tt>iss</tt> and <tt>sub</tt> might be necessary to uniquely identify an
      actor.
        </t>
        <t pn="section-4.1-2">
      However, claims within the <tt>act</tt> claim pertain only to the identity of the actor
      and are not relevant to the validity of the containing JWT in the same manner as the top-level claims.
      Consequently, non-identity claims (e.g., <tt>exp</tt>, <tt>nbf</tt>,
      and <tt>aud</tt>) are not meaningful when used within an
      <tt>act</tt> claim and are therefore not used.
        </t>
        <t pn="section-4.1-3"><xref target="act-ex" format="default" sectionFormat="of" derivedContent="Figure 5"/> illustrates the <tt>act</tt> (actor) claim within a JWT Claims Set.  The
        claims of the token itself are about user@example.com while the <tt>act</tt> claim indicates that admin@example.com is the
        current actor.
        </t>
        <figure anchor="act-ex" align="left" suppress-title="false" pn="figure-5">
          <name slugifiedName="name-actor-claim">Actor Claim</name>
          <sourcecode type="json" markers="false" pn="section-4.1-4.1">
 {
   "aud":"https://consumer.example.com",
   "iss":"https://issuer.example.com",
   "exp":1443904177,
   "nbf":1443904077,
   "sub":"user@example.com",
   "act":
   {
     "sub":"admin@example.com"
   }
 }</sourcecode>
        </figure>
        <t pn="section-4.1-5">
      A chain of delegation can be expressed by nesting one <tt>act</tt> claim within
      another. The outermost <tt>act</tt> claim represents the current actor while nested
      <tt>act</tt> claims represent prior actors. The least recent actor is the most deeply
      nested. The nested <tt>act</tt> claims
      serve as a history trail that connects the initial request and subject
      through the various delegation steps undertaken before reaching the
      current actor.  In this sense, the current actor is considered to
      include the entire authorization/delegation history, leading naturally
      to the nested structure described here.
        </t>
        <t pn="section-4.1-6">
      For the purpose of applying access control policy, the consumer of a token <bcp14>MUST</bcp14> only consider the token's
      top-level claims and the party identified as the current actor by the <tt>act</tt>
      claim. Prior actors identified by any nested <tt>act</tt> claims are
      informational only and are not to be considered in access control decisions.
        </t>
        <t pn="section-4.1-7">
        The following example in <xref target="acts-ex" format="default" sectionFormat="of" derivedContent="Figure 6"/> illustrates nested <tt>act</tt> (actor) claims within a JWT Claims Set.
        The claims of the token itself are about user@example.com while the <tt>act</tt> claim indicates
        that the system &lt;https://service16.example.com&gt; is the current actor and &lt;https://service77.example.com&gt; was a prior actor.
        Such a token might come about as the result of service16 receiving a token in a call from service77
        and exchanging it for a token suitable to call service26 while the authorization server
        notes the situation in the newly issued token.
        </t>
        <figure anchor="acts-ex" align="left" suppress-title="false" pn="figure-6">
          <name slugifiedName="name-nested-actor-claim">Nested Actor Claim</name>
          <sourcecode type="json" markers="false" pn="section-4.1-8.1">
 {
   "aud":"https://service26.example.com",
   "iss":"https://issuer.example.com",
   "exp":1443904100,
   "nbf":1443904000,
   "sub":"user@example.com",
   "act":
   {
     "sub":"https://service16.example.com",
     "act":
     {
       "sub":"https://service77.example.com"
     }
   }
 }
</sourcecode>
        </figure>
        <t pn="section-4.1-9">
      When included as a top-level member of an OAuth token introspection response, <tt>act</tt>
      has the same semantics and format as the claim of the same name.
        </t>
      </section>
      <section anchor="scopes" numbered="true" toc="include" removeInRFC="false" pn="section-4.2">
        <name slugifiedName="name-scope-scopes-claim">"scope" (Scopes) Claim</name>
        <t pn="section-4.2-1">
      The value of the <tt>scope</tt> claim is a
      JSON string containing a space-separated list of
      scopes associated with the token, in the format described in
      <xref target="RFC6749" sectionFormat="of" section="3.3" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6749#section-3.3" derivedContent="RFC6749"/>.
        </t>
        <t pn="section-4.2-2"><xref target="scope-ex" format="default" sectionFormat="of" derivedContent="Figure 7"/> illustrates the <tt>scope</tt> claim within a JWT Claims Set.
        </t>
        <figure anchor="scope-ex" align="left" suppress-title="false" pn="figure-7">
          <name slugifiedName="name-scopes-claim">Scopes Claim</name>
          <sourcecode type="json" markers="false" pn="section-4.2-3.1">
 {
   "aud":"https://consumer.example.com",
   "iss":"https://issuer.example.com",
   "exp":1443904177,
   "nbf":1443904077,
   "sub":"dgaf4mvfs75Fci_FL3heQA",
   "scope":"email profile phone address"
 }
</sourcecode>
        </figure>
        <t pn="section-4.2-4">
      <xref target="RFC7662" format="default" sectionFormat="of" derivedContent="RFC7662">OAuth 2.0 Token Introspection</xref> already defines the <tt>scope</tt>
      parameter to convey the scopes associated with the token.
        </t>
      </section>
      <section anchor="client_id" numbered="true" toc="include" removeInRFC="false" pn="section-4.3">
        <name slugifiedName="name-client_id-client-identifier">"client_id" (Client Identifier) Claim</name>
        <t pn="section-4.3-1">
      The <tt>client_id</tt> claim carries the
      client identifier of the <xref target="RFC6749" format="default" sectionFormat="of" derivedContent="RFC6749">OAuth 2.0</xref> client that
      requested the token.
        </t>
        <t pn="section-4.3-2">
        The following example in <xref target="client_id-ex" format="default" sectionFormat="of" derivedContent="Figure 8"/> illustrates the <tt>client_id</tt> claim within a JWT Claims Set
        indicating an OAuth 2.0 client with "s6BhdRkqt3" as its identifier.
        </t>
        <figure anchor="client_id-ex" align="left" suppress-title="false" pn="figure-8">
          <name slugifiedName="name-client-identifier-claim">Client Identifier Claim</name>
          <sourcecode type="json" markers="false" pn="section-4.3-3.1">
 {
   "aud":"https://consumer.example.com",
   "iss":"https://issuer.example.com",
   "exp":1443904177,
   "sub":"user@example.com",
   "client_id":"s6BhdRkqt3"
 }
</sourcecode>
        </figure>
        <t pn="section-4.3-4">
      <xref target="RFC7662" format="default" sectionFormat="of" derivedContent="RFC7662">OAuth 2.0 Token Introspection</xref> already defines the <tt>client_id</tt>
      parameter as the client identifier for the OAuth 2.0 client that requested the token.
        </t>
      </section>
      <section anchor="may_act" numbered="true" toc="include" removeInRFC="false" pn="section-4.4">
        <name slugifiedName="name-may_act-authorized-actor-cl">"may_act" (Authorized Actor) Claim</name>
        <t pn="section-4.4-1">
      The <tt>may_act</tt> claim makes a statement that one party is authorized to
      become the actor and act on behalf of another party.
      The claim might be used, for example, when a <tt>subject_token</tt> is
      presented to the token endpoint in a token exchange request and
      <tt>may_act</tt> claim in the subject token can be used by the authorization
      server to determine whether the client (or party identified in the
      <tt>actor_token</tt>) is authorized to engage in the requested delegation or
      impersonation.
      The claim value is a JSON object, and members in the JSON object are claims that identify the party that
      is asserted as being eligible to act for the party identified by
      the JWT containing the claim.
      The claims that make up the <tt>may_act</tt>
      claim identify and possibly provide additional information about the authorized actor.
      For example, the combination of the two claims <tt>iss</tt>
      and <tt>sub</tt> are sometimes necessary to uniquely identify an authorized actor,
      while the <tt>email</tt> claim might be used to provide additional useful information about
      that party.
        </t>
        <t pn="section-4.4-2">
      However, claims within the <tt>may_act</tt> claim pertain only to the identity of that party
      and are not relevant to the validity of the containing JWT
      in the same manner as top-level claims.
      Consequently, claims such as <tt>exp</tt>, <tt>nbf</tt>, and
      <tt>aud</tt> are not meaningful when used within a <tt>may_act</tt>
      claim and are therefore not used.
        </t>
        <t pn="section-4.4-3"><xref target="may_act-ex" format="default" sectionFormat="of" derivedContent="Figure 9"/> illustrates the <tt>may_act</tt> claim within a JWT Claims Set.
        The claims of the token itself are about user@example.com while the <tt>may_act</tt> claim indicates
        that admin@example.com is authorized to act on behalf of user@example.com.
        </t>
        <figure anchor="may_act-ex" align="left" suppress-title="false" pn="figure-9">
          <name slugifiedName="name-authorized-actor-claim">Authorized Actor Claim</name>
          <sourcecode type="json" markers="false" pn="section-4.4-4.1">
 {
   "aud":"https://consumer.example.com",
   "iss":"https://issuer.example.com",
   "exp":1443904177,
   "nbf":1443904077,
   "sub":"user@example.com",
   "may_act":
   {
     "sub":"admin@example.com"
   }
 }
</sourcecode>
        </figure>
        <t pn="section-4.4-5">
      When included as a top-level member of an OAuth token introspection response, <tt>may_act</tt>
      has the same semantics and format as the claim of the same name.
        </t>
      </section>
    </section>
    <section anchor="Security" numbered="true" toc="include" removeInRFC="false" pn="section-5">
      <name slugifiedName="name-security-considerations">Security Considerations</name>
      <t pn="section-5-1">
        Much of the guidance from <xref target="RFC6749" sectionFormat="of" section="10" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6749#section-10" derivedContent="RFC6749"/>,
        the Security Considerations in The OAuth 2.0 Authorization Framework,
        is also applicable here.
        Furthermore, <xref target="RFC6819" format="default" sectionFormat="of" derivedContent="RFC6819"/>
        provides additional security considerations for OAuth, and
        <xref target="I-D.ietf-oauth-security-topics" format="default" sectionFormat="of" derivedContent="OAUTH-SECURITY"/>
        has updated security guidance based on deployment experience and new threats that have
        emerged since OAuth 2.0 was originally published.
      </t>
      <t pn="section-5-2">
        All of the normal security issues that are discussed in <xref target="RFC7519" format="default" sectionFormat="of" derivedContent="JWT"/>,
        especially in relationship to comparing URIs and dealing with unrecognized values,
        also apply here.
      </t>
      <t pn="section-5-3">
        In addition, both delegation and impersonation introduce unique
        security issues.  Any time one principal is delegated the rights of
        another principal, the potential for abuse is a concern.  The use of
        the <tt>scope</tt> claim (in addition to other
        typical constraints such as a limited token lifetime) is suggested to
        mitigate potential for such abuse, as it restricts the contexts in
        which the delegated rights can be exercised.
      </t>
    </section>
    <section anchor="Privacy" numbered="true" toc="include" removeInRFC="false" pn="section-6">
      <name slugifiedName="name-privacy-considerations">Privacy Considerations</name>
      <t pn="section-6-1">
        Tokens employed in the context of the functionality described herein
        may contain privacy-sensitive information and, to prevent
        disclosure of such information to unintended parties, <bcp14>MUST</bcp14> only be
        transmitted over encrypted channels, such as Transport Layer Security
        (TLS).  In cases where it is desirable to prevent disclosure of certain
        information to the client, the token <bcp14>MUST</bcp14> be encrypted to its
        intended recipient. Deployments <bcp14>SHOULD</bcp14> determine the minimally necessary
        amount of data and only include such information in issued tokens.
        In some cases, data minimization may include representing only an
        anonymous or pseudonymous user.
      </t>
    </section>
    <section anchor="IANA" numbered="true" toc="include" removeInRFC="false" pn="section-7">
      <name slugifiedName="name-iana-considerations">IANA Considerations</name>
      <section anchor="URIReg" numbered="true" toc="include" removeInRFC="false" pn="section-7.1">
        <name slugifiedName="name-oauth-uri-registration">OAuth URI Registration</name>
        <t pn="section-7.1-1">
	  IANA has registered the following values in the
	  "OAuth URI" subregistry of the "OAuth Parameters" registry
	  <xref target="IANA.OAuth.Parameters" format="default" sectionFormat="of" derivedContent="IANA.OAuth.Parameters"/>. The "OAuth URI" subregistry was
	  established by <xref target="RFC6755" format="default" sectionFormat="of" derivedContent="RFC6755"/>.
        </t>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.1-2">
          <li pn="section-7.1-2.1">URN: urn:ietf:params:oauth:grant-type:token-exchange</li>
          <li pn="section-7.1-2.2">Common Name: Token exchange grant type for OAuth 2.0</li>
          <li pn="section-7.1-2.3">Change Controller: IESG</li>
          <li pn="section-7.1-2.4">Specification Document: <xref target="Request" format="default" sectionFormat="of" derivedContent="Section 2.1"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.1-3">
          <li pn="section-7.1-3.1">URN: urn:ietf:params:oauth:token-type:access_token</li>
          <li pn="section-7.1-3.2">Common Name: Token type URI for an OAuth 2.0 access token</li>
          <li pn="section-7.1-3.3">Change Controller: IESG</li>
          <li pn="section-7.1-3.4">Specification Document: <xref target="TokenTypeIdentifiers" format="default" sectionFormat="of" derivedContent="Section 3"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.1-4">
          <li pn="section-7.1-4.1">URN: urn:ietf:params:oauth:token-type:refresh_token</li>
          <li pn="section-7.1-4.2">Common Name: Token type URI for an OAuth 2.0 refresh token</li>
          <li pn="section-7.1-4.3">Change Controller: IESG</li>
          <li pn="section-7.1-4.4">Specification Document: <xref target="TokenTypeIdentifiers" format="default" sectionFormat="of" derivedContent="Section 3"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.1-5">
          <li pn="section-7.1-5.1">URN: urn:ietf:params:oauth:token-type:id_token</li>
          <li pn="section-7.1-5.2">Common Name: Token type URI for an ID Token</li>
          <li pn="section-7.1-5.3">Change Controller: IESG</li>
          <li pn="section-7.1-5.4">Specification Document: <xref target="TokenTypeIdentifiers" format="default" sectionFormat="of" derivedContent="Section 3"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.1-6">
          <li pn="section-7.1-6.1">URN: urn:ietf:params:oauth:token-type:saml1</li>
          <li pn="section-7.1-6.2">Common Name: Token type URI for a base64url-encoded SAML 1.1 assertion</li>
          <li pn="section-7.1-6.3">Change Controller: IESG</li>
          <li pn="section-7.1-6.4">Specification Document: <xref target="TokenTypeIdentifiers" format="default" sectionFormat="of" derivedContent="Section 3"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.1-7">
          <li pn="section-7.1-7.1">URN: urn:ietf:params:oauth:token-type:saml2</li>
          <li pn="section-7.1-7.2">Common Name: Token type URI for a base64url-encoded SAML 2.0 assertion</li>
          <li pn="section-7.1-7.3">Change Controller: IESG</li>
          <li pn="section-7.1-7.4">Specification Document: <xref target="TokenTypeIdentifiers" format="default" sectionFormat="of" derivedContent="Section 3"/> of RFC 8693</li>
        </ul>
      </section>
      <section anchor="OAuthParametersReg" numbered="true" toc="include" removeInRFC="false" pn="section-7.2">
        <name slugifiedName="name-oauth-parameters-registrati">OAuth Parameters Registration</name>
        <t pn="section-7.2-1">
	  IANA has registered the following values
	  in the "OAuth Parameters" subregistry of the "OAuth Parameters" registry
	  <xref target="IANA.OAuth.Parameters" format="default" sectionFormat="of" derivedContent="IANA.OAuth.Parameters"/>. The "OAuth Parameters"
	  subregistry was
	  established by <xref target="RFC6749" format="default" sectionFormat="of" derivedContent="RFC6749"/>.
        </t>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.2-2">
          <li pn="section-7.2-2.1">Parameter name: audience</li>
          <li pn="section-7.2-2.2">Parameter usage location: token request</li>
          <li pn="section-7.2-2.3">Change controller: IESG</li>
          <li pn="section-7.2-2.4">Specification document(s): <xref target="Request" format="default" sectionFormat="of" derivedContent="Section 2.1"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.2-3">
          <li pn="section-7.2-3.1">Parameter name: requested_token_type</li>
          <li pn="section-7.2-3.2">Parameter usage location: token request</li>
          <li pn="section-7.2-3.3">Change controller: IESG</li>
          <li pn="section-7.2-3.4">Specification document(s): <xref target="Request" format="default" sectionFormat="of" derivedContent="Section 2.1"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.2-4">
          <li pn="section-7.2-4.1">Parameter name: subject_token</li>
          <li pn="section-7.2-4.2">Parameter usage location: token request</li>
          <li pn="section-7.2-4.3">Change controller: IESG</li>
          <li pn="section-7.2-4.4">Specification document(s): <xref target="Request" format="default" sectionFormat="of" derivedContent="Section 2.1"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.2-5">
          <li pn="section-7.2-5.1">Parameter name: subject_token_type</li>
          <li pn="section-7.2-5.2">Parameter usage location: token request</li>
          <li pn="section-7.2-5.3">Change controller: IESG</li>
          <li pn="section-7.2-5.4">Specification document(s): <xref target="Request" format="default" sectionFormat="of" derivedContent="Section 2.1"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.2-6">
          <li pn="section-7.2-6.1">Parameter name: actor_token</li>
          <li pn="section-7.2-6.2">Parameter usage location: token request</li>
          <li pn="section-7.2-6.3">Change controller: IESG</li>
          <li pn="section-7.2-6.4">Specification document(s): <xref target="Request" format="default" sectionFormat="of" derivedContent="Section 2.1"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.2-7">
          <li pn="section-7.2-7.1">Parameter name: actor_token_type</li>
          <li pn="section-7.2-7.2">Parameter usage location: token request</li>
          <li pn="section-7.2-7.3">Change controller: IESG</li>
          <li pn="section-7.2-7.4">Specification document(s): <xref target="Request" format="default" sectionFormat="of" derivedContent="Section 2.1"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.2-8">
          <li pn="section-7.2-8.1">Parameter name: issued_token_type</li>
          <li pn="section-7.2-8.2">Parameter usage location: token response</li>
          <li pn="section-7.2-8.3">Change controller: IESG</li>
          <li pn="section-7.2-8.4">Specification document(s): <xref target="SuccessfulResponse" format="default" sectionFormat="of" derivedContent="Section 2.2.1"/> of RFC 8693</li>
        </ul>
      </section>
      <section anchor="TokenTypeReg" numbered="true" toc="include" removeInRFC="false" pn="section-7.3">
        <name slugifiedName="name-oauth-access-token-type-reg">OAuth Access Token Type Registration</name>
        <t pn="section-7.3-1">
          IANA has registered the following access token type
	  in the "OAuth Access Token Types" subregistry of the "OAuth
	  Parameters" registry
	  <xref target="IANA.OAuth.Parameters" format="default" sectionFormat="of" derivedContent="IANA.OAuth.Parameters"/>. The "OAuth Access Token
	  Types" subregistry was
	  established by <xref target="RFC6749" format="default" sectionFormat="of" derivedContent="RFC6749"/>.
        </t>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.3-2">
          <li pn="section-7.3-2.1">Type name: N_A</li>
          <li pn="section-7.3-2.2">Additional Token Endpoint Response Parameters: none</li>
          <li pn="section-7.3-2.3">HTTP Authentication Scheme(s): none</li>
          <li pn="section-7.3-2.4">Change controller: IESG</li>
          <li pn="section-7.3-2.5">Specification document(s): <xref target="SuccessfulResponse" format="default" sectionFormat="of" derivedContent="Section 2.2.1"/> of RFC 8693</li>
        </ul>
      </section>
      <section anchor="ClaimsReg" numbered="true" toc="include" removeInRFC="false" pn="section-7.4">
        <name slugifiedName="name-json-web-token-claims-regis">JSON Web Token Claims Registration</name>
        <t pn="section-7.4-1">
	  IANA has registered the following Claims
	  in the "JSON Web Token Claims" subregistry of the "JSON Web Token
	  (JWT)" registry
	  <xref target="IANA.JWT" format="default" sectionFormat="of" derivedContent="IANA.JWT"/>. The "JSON Web Token Claims"
	  subregistry was
	  established by <xref target="RFC7519" format="default" sectionFormat="of" derivedContent="JWT"/>.
        </t>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.4-2">
          <li pn="section-7.4-2.1">Claim Name: act</li>
          <li pn="section-7.4-2.2">Claim Description: Actor</li>
          <li pn="section-7.4-2.3">Change Controller: IESG</li>
          <li pn="section-7.4-2.4">Specification Document(s): <xref target="actor" format="default" sectionFormat="of" derivedContent="Section 4.1"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.4-3">
          <li pn="section-7.4-3.1">Claim Name: scope</li>
          <li pn="section-7.4-3.2">Claim Description: Scope Values</li>
          <li pn="section-7.4-3.3">Change Controller: IESG</li>
          <li pn="section-7.4-3.4">Specification Document(s): <xref target="scopes" format="default" sectionFormat="of" derivedContent="Section 4.2"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.4-4">
          <li pn="section-7.4-4.1">Claim Name: client_id</li>
          <li pn="section-7.4-4.2">Claim Description: Client Identifier</li>
          <li pn="section-7.4-4.3">Change Controller: IESG</li>
          <li pn="section-7.4-4.4">Specification Document(s): <xref target="client_id" format="default" sectionFormat="of" derivedContent="Section 4.3"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.4-5">
          <li pn="section-7.4-5.1">Claim Name: may_act</li>
          <li pn="section-7.4-5.2">Claim Description: Authorized Actor - the party that is authorized to become the actor</li>
          <li pn="section-7.4-5.3">Change Controller: IESG</li>
          <li pn="section-7.4-5.4">Specification Document(s): <xref target="may_act" format="default" sectionFormat="of" derivedContent="Section 4.4"/> of RFC 8693</li>
        </ul>
      </section>
      <section anchor="IntrospectionReg" numbered="true" toc="include" removeInRFC="false" pn="section-7.5">
        <name slugifiedName="name-oauth-token-introspection-r">OAuth Token Introspection Response Registration</name>
        <t pn="section-7.5-1">
          IANA has registered the following values
          in the "OAuth Token Introspection Response" registry of the "OAuth
	  Parameters" registry
          <xref target="IANA.OAuth.Parameters" format="default" sectionFormat="of" derivedContent="IANA.OAuth.Parameters"/>. The "OAuth Token
	  Introspection Response" registry was
          established by <xref target="RFC7662" format="default" sectionFormat="of" derivedContent="RFC7662"/>.
        </t>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.5-2">
          <li pn="section-7.5-2.1">Name: act</li>
          <li pn="section-7.5-2.2">Description: Actor</li>
          <li pn="section-7.5-2.3">Change Controller: IESG</li>
          <li pn="section-7.5-2.4">Specification Document(s): <xref target="actor" format="default" sectionFormat="of" derivedContent="Section 4.1"/> of RFC 8693</li>
        </ul>
        <ul spacing="compact" bare="false" empty="false" pn="section-7.5-3">
          <li pn="section-7.5-3.1">Name: may_act</li>
          <li pn="section-7.5-3.2">Description: Authorized Actor - the party that is authorized to become the actor</li>
          <li pn="section-7.5-3.3">Change Controller: IESG</li>
          <li pn="section-7.5-3.4">Specification Document(s): <xref target="may_act" format="default" sectionFormat="of" derivedContent="Section 4.4"/> of RFC 8693</li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <displayreference target="RFC7519" to="JWT"/>
    <displayreference target="I-D.ietf-oauth-security-topics" to="OAUTH-SECURITY"/>
    <displayreference target="I-D.ietf-oauth-resource-indicators" to="OAUTH-RESOURCE"/>
    <references pn="section-8">
      <name slugifiedName="name-references">References</name>
      <references pn="section-8.1">
        <name slugifiedName="name-normative-references">Normative References</name>
        <reference anchor="IANA.JWT" target="https://www.iana.org/assignments/jwt" quoteTitle="true" derivedAnchor="IANA.JWT">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author>
              <organization showOnFrontPage="true">IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA.OAuth.Parameters" target="https://www.iana.org/assignments/oauth-parameters" quoteTitle="true" derivedAnchor="IANA.OAuth.Parameters">
          <front>
            <title>OAuth Parameters</title>
            <author>
              <organization showOnFrontPage="true">IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="RFC7519" target="https://www.rfc-editor.org/info/rfc7519" quoteTitle="true" derivedAnchor="JWT">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author initials="M." surname="Jones" fullname="M. Jones">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Bradley" fullname="J. Bradley">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="N." surname="Sakimura" fullname="N. Sakimura">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2015" month="May"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.  The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" quoteTitle="true" derivedAnchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author initials="S." surname="Bradner" fullname="S. Bradner">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="1997" month="March"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC3986" target="https://www.rfc-editor.org/info/rfc3986" quoteTitle="true" derivedAnchor="RFC3986">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author initials="T." surname="Berners-Lee" fullname="T. Berners-Lee">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="R." surname="Fielding" fullname="R. Fielding">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="L." surname="Masinter" fullname="L. Masinter">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2005" month="January"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource.  This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet.  The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier.  This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC6749" target="https://www.rfc-editor.org/info/rfc6749" quoteTitle="true" derivedAnchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author initials="D." surname="Hardt" fullname="D. Hardt" role="editor">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2012" month="October"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.  This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC7662" target="https://www.rfc-editor.org/info/rfc7662" quoteTitle="true" derivedAnchor="RFC7662">
          <front>
            <title>OAuth 2.0 Token Introspection</title>
            <author initials="J." surname="Richer" fullname="J. Richer" role="editor">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2015" month="October"/>
            <abstract>
              <t>This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7662"/>
          <seriesInfo name="DOI" value="10.17487/RFC7662"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" quoteTitle="true" derivedAnchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author initials="B." surname="Leiba" fullname="B. Leiba">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2017" month="May"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8259" target="https://www.rfc-editor.org/info/rfc8259" quoteTitle="true" derivedAnchor="RFC8259">
          <front>
            <title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
            <author initials="T." surname="Bray" fullname="T. Bray" role="editor">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2017" month="December"/>
            <abstract>
              <t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format.  It was derived from the ECMAScript Programming Language Standard.  JSON defines a small set of formatting rules for the portable representation of structured data.</t>
              <t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="90"/>
          <seriesInfo name="RFC" value="8259"/>
          <seriesInfo name="DOI" value="10.17487/RFC8259"/>
        </reference>
      </references>
      <references pn="section-8.2">
        <name slugifiedName="name-informative-references">Informative References</name>
        <reference anchor="OASIS.saml-core-1.1" target="https://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf" quoteTitle="true" derivedAnchor="OASIS.saml-core-1.1">
          <front>
            <title>Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1</title>
            <seriesInfo name="OASIS Standard" value="oasis-sstc-saml-core-1.1"/>
            <author fullname="Eve Maler" initials="E." surname="Maler">
              <organization showOnFrontPage="true">Sun Microsystems</organization>
              <address>
                <email>eve.maler@sun.com</email>
              </address>
            </author>
            <author fullname="Prateek Mishra" initials="P." surname="Mishra">
              <organization showOnFrontPage="true">Netegrity, Inc.</organization>
              <address>
                <email>pmishra@netegrity.com</email>
              </address>
            </author>
            <author fullname="Rob Philpott" initials="R." surname="Philpott">
              <organization showOnFrontPage="true">RSA Security</organization>
              <address>
                <email>rphilpott@rsasecurity.com</email>
              </address>
            </author>
            <date year="2003" month="September"/>
          </front>
        </reference>
        <reference anchor="OASIS.saml-core-2.0-os" target="http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf" quoteTitle="true" derivedAnchor="OASIS.saml-core-2.0-os">
          <front>
            <title>Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0</title>
            <seriesInfo name="OASIS Standard" value="saml-core-2.0-os"/>
            <author fullname="Scott Cantor" initials="S." surname="Cantor">
              <organization showOnFrontPage="true">Internet2</organization>
              <address>
                <email>cantor.2@osu.edu</email>
              </address>
            </author>
            <author fullname="John Kemp" initials="J." surname="Kemp">
              <organization showOnFrontPage="true">Nokia</organization>
              <address>
                <email>John.Kemp@nokia.com</email>
              </address>
            </author>
            <author fullname="Rob Philpott" initials="R." surname="Philpott">
              <organization showOnFrontPage="true">RSA Security</organization>
              <address>
                <email>rphilpott@rsasecurity.com</email>
              </address>
            </author>
            <author fullname="Eve Maler" initials="E." surname="Maler">
              <organization showOnFrontPage="true">Sun Microsystems</organization>
              <address>
                <email>eve.maler@sun.com</email>
              </address>
            </author>
            <date year="2005" month="March"/>
          </front>
        </reference>
        <reference anchor="I-D.ietf-oauth-resource-indicators" quoteTitle="true" target="https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-08" derivedAnchor="OAUTH-RESOURCE">
          <front>
            <title>Resource Indicators for OAuth 2.0</title>
            <author initials="B" surname="Campbell" fullname="Brian Campbell">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J" surname="Bradley" fullname="John Bradley">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="H" surname="Tschofenig" fullname="Hannes Tschofenig">
              <organization showOnFrontPage="true"/>
            </author>
            <date month="September" day="11" year="2019"/>
            <abstract>
              <t>This document specifies an extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an authorization server about the identity of the protected resource(s) to which it is requesting access.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-resource-indicators-08"/>
          <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-ietf-oauth-resource-indicators-08.txt"/>
          <refcontent>Work in Progress</refcontent>
        </reference>
        <reference anchor="I-D.ietf-oauth-security-topics" quoteTitle="true" target="https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13" derivedAnchor="OAUTH-SECURITY">
          <front>
            <title>OAuth 2.0 Security Best Current Practice</title>
            <author initials="T" surname="Lodderstedt" fullname="Torsten Lodderstedt">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J" surname="Bradley" fullname="John Bradley">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="A" surname="Labunets" fullname="Andrey Labunets">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="D" surname="Fett" fullname="Daniel Fett">
              <organization showOnFrontPage="true"/>
            </author>
            <date month="July" day="8" year="2019"/>
            <abstract>
              <t>This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-security-topics-13"/>
          <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-ietf-oauth-security-topics-13.txt"/>
          <refcontent>Work in Progress</refcontent>
        </reference>
        <reference anchor="OpenID.Core" target="https://openid.net/specs/openid-connect-core-1_0.html" quoteTitle="true" derivedAnchor="OpenID.Core">
          <front>
            <title abbrev="OpenID Connect Core 1.0">OpenID Connect Core 1.0</title>
            <author fullname="Nat Sakimura" initials="N." surname="Sakimura">
              <organization abbrev="NRI" showOnFrontPage="true">Nomura Research Institute, Ltd.</organization>
              <address>
                <email>n-sakimura@nri.co.jp</email>
                <uri>https://nat.sakimura.org/</uri>
              </address>
            </author>
            <author fullname="John Bradley" initials="J." surname="Bradley">
              <organization abbrev="Ping Identity" showOnFrontPage="true">Ping Identity</organization>
              <address>
                <email>ve7jtb@ve7jtb.com</email>
                <uri>http://www.thread-safe.com/</uri>
              </address>
            </author>
            <author fullname="Michael B. Jones" initials="M." surname="Jones">
              <organization abbrev="Microsoft" showOnFrontPage="true">Microsoft</organization>
              <address>
                <email>mbj@microsoft.com</email>
                <uri>https://self-issued.info/</uri>
              </address>
            </author>
            <author fullname="Breno de Medeiros" initials="B." surname="de Medeiros">
              <organization abbrev="Google" showOnFrontPage="true">Google</organization>
              <address>
                <email>breno@google.com</email>
                <uri>https://stackoverflow.com/users/311376/breno</uri>
              </address>
            </author>
            <author fullname="Chuck Mortimore" initials="C." surname="Mortimore">
              <organization abbrev="Visa" showOnFrontPage="true">Visa</organization>
              <address>
                <email>chuck.mortimore@visa.com</email>
                <uri>https://twitter.com/cmort</uri>
              </address>
            </author>
            <date month="November" year="2014"/>
            <workgroup>OpenID Connect Working Group</workgroup>
          </front>
        </reference>
        <reference anchor="RFC6750" target="https://www.rfc-editor.org/info/rfc6750" quoteTitle="true" derivedAnchor="RFC6750">
          <front>
            <title>The OAuth 2.0 Authorization Framework: Bearer Token Usage</title>
            <author initials="M." surname="Jones" fullname="M. Jones">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="D." surname="Hardt" fullname="D. Hardt">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2012" month="October"/>
            <abstract>
              <t>This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources.  Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key).  To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport.   [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6750"/>
          <seriesInfo name="DOI" value="10.17487/RFC6750"/>
        </reference>
        <reference anchor="RFC6755" target="https://www.rfc-editor.org/info/rfc6755" quoteTitle="true" derivedAnchor="RFC6755">
          <front>
            <title>An IETF URN Sub-Namespace for OAuth</title>
            <author initials="B." surname="Campbell" fullname="B. Campbell">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="H." surname="Tschofenig" fullname="H. Tschofenig">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2012" month="October"/>
            <abstract>
              <t>This document establishes an IETF URN Sub-namespace for use with OAuth-related specifications.  This document is not an Internet  Standards Track specification; it is published for informational  purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6755"/>
          <seriesInfo name="DOI" value="10.17487/RFC6755"/>
        </reference>
        <reference anchor="RFC6819" target="https://www.rfc-editor.org/info/rfc6819" quoteTitle="true" derivedAnchor="RFC6819">
          <front>
            <title>OAuth 2.0 Threat Model and Security Considerations</title>
            <author initials="T." surname="Lodderstedt" fullname="T. Lodderstedt" role="editor">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="M." surname="McGloin" fullname="M. McGloin">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="P." surname="Hunt" fullname="P. Hunt">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2013" month="January"/>
            <abstract>
              <t>This document gives additional security considerations for OAuth, beyond those in the OAuth 2.0 specification, based on a comprehensive threat model for the OAuth 2.0 protocol.  This document is not an  Internet Standards Track specification; it is published for  informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6819"/>
          <seriesInfo name="DOI" value="10.17487/RFC6819"/>
        </reference>
        <reference anchor="RFC7521" target="https://www.rfc-editor.org/info/rfc7521" quoteTitle="true" derivedAnchor="RFC7521">
          <front>
            <title>Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author initials="B." surname="Campbell" fullname="B. Campbell">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="C." surname="Mortimore" fullname="C. Mortimore">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="M." surname="Jones" fullname="M. Jones">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="Y." surname="Goland" fullname="Y. Goland">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2015" month="May"/>
            <abstract>
              <t>This specification provides a framework for the use of assertions with OAuth 2.0 in the form of a new client authentication mechanism and a new authorization grant type.  Mechanisms are specified for transporting assertions during interactions with a token endpoint; general processing rules are also specified.</t>
              <t>The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions and to provide alternative client authentication mechanisms.</t>
              <t>Note that this specification only defines abstract message flows and processing rules.  In order to be implementable, companion specifications are necessary to provide the corresponding concrete instantiations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7521"/>
          <seriesInfo name="DOI" value="10.17487/RFC7521"/>
        </reference>
        <reference anchor="RFC7523" target="https://www.rfc-editor.org/info/rfc7523" quoteTitle="true" derivedAnchor="RFC7523">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author initials="M." surname="Jones" fullname="M. Jones">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="B." surname="Campbell" fullname="B. Campbell">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="C." surname="Mortimore" fullname="C. Mortimore">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2015" month="May"/>
            <abstract>
              <t>This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7523"/>
          <seriesInfo name="DOI" value="10.17487/RFC7523"/>
        </reference>
        <reference anchor="WS-Trust" target="https://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html" quoteTitle="true" derivedAnchor="WS-Trust">
          <front>
            <title>WS-Trust 1.4</title>
            <author fullname="Anthony Nadalin" initials="A." surname="Nadalin" role="editor"/>
            <author fullname="Marc Goodner" initials="M." surname="Goodner" role="editor"/>
            <author fullname="Martin Gudgin" initials="M." surname="Gudgin" role="editor"/>
            <author fullname="Abbie Barbir" initials="A." surname="Barbir" role="editor"/>
            <author fullname="Hans Granqvist" initials="H." surname="Granqvist" role="editor"/>
            <date month="February" year="2012"/>
          </front>
        </reference>
      </references>
    </references>
    <section anchor="AdditionalExamples" numbered="true" toc="include" removeInRFC="false" pn="section-appendix.a">
      <name slugifiedName="name-additional-token-exchange-e">Additional Token Exchange Examples</name>
      <t pn="section-appendix.a-1">
      Two example token exchanges are provided in the following sections
      illustrating impersonation and delegation, respectively
      (with extra line breaks and indentation for display purposes only).
      </t>
      <section anchor="ImpersonationExample" numbered="true" toc="include" removeInRFC="false" pn="section-a.1">
        <name slugifiedName="name-impersonation-token-exchang">Impersonation Token Exchange Example</name>
        <section anchor="ImpersonationRequest" numbered="true" toc="include" removeInRFC="false" pn="section-a.1.1">
          <name slugifiedName="name-token-exchange-request-2">Token Exchange Request</name>
          <t pn="section-a.1.1-1">
        In the following token exchange request, a client is requesting a token
        with impersonation semantics (delegation is impossible with only a <tt>subject_token</tt>
        and no <tt>actor_token</tt>).
        The client tells the authorization server that it needs a token for use at
        the target service with the logical name
	<tt>urn:example:cooperation-context</tt>.
          </t>
          <figure anchor="ImpersonationRequestEx" align="left" suppress-title="false" pn="figure-10">
            <name slugifiedName="name-token-exchange-request-3">Token Exchange Request</name>
            <artwork name="" type="" align="left" alt="" pn="section-a.1.1-2.1">
 POST /as/token.oauth2 HTTP/1.1
 Host: as.example.com
 Content-Type: application/x-www-form-urlencoded

 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
 &amp;audience=urn%3Aexample%3Acooperation-context
 &amp;subject_token=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.eyJhdWQiOiJodHRwc
   zovL2FzLmV4YW1wbGUuY29tIiwiaXNzIjoiaHR0cHM6Ly9vcmlnaW5hbC1pc3N1ZXI
   uZXhhbXBsZS5uZXQiLCJleHAiOjE0NDE5MTA2MDAsIm5iZiI6MTQ0MTkwOTAwMCwic
   3ViIjoiYmRjQGV4YW1wbGUubmV0Iiwic2NvcGUiOiJvcmRlcnMgcHJvZmlsZSBoaXN
   0b3J5In0.PRBg-jXn4cJuj1gmYXFiGkZzRuzbXZ_sDxdE98ddW44ufsbWLKd3JJ1VZ
   hF64pbTtfjy4VXFVBDaQpKjn5JzAw
 &amp;subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt
</artwork>
          </figure>
        </section>
        <section anchor="ImpersonationSubjectClaims" numbered="true" toc="include" removeInRFC="false" pn="section-a.1.2">
          <name slugifiedName="name-subject-token-claims">Subject Token Claims</name>
          <t pn="section-a.1.2-1">
  The <tt>subject_token</tt> in the prior request is a JWT, and
  the decoded JWT Claims Set is shown here. The JWT is
  intended for consumption by the authorization server within a specific time window.
  The subject of the JWT (<tt>bdc@example.net</tt>) is
  the party on behalf of whom the new token is being requested.
</t>
          <figure anchor="ImpersonationSubjectClaimsEx" align="left" suppress-title="false" pn="figure-11">
            <name slugifiedName="name-subject-token-claims-2">Subject Token Claims</name>
            <sourcecode type="json" markers="false" pn="section-a.1.2-2.1">
  {
    "aud":"https://as.example.com",
    "iss":"https://original-issuer.example.net",
    "exp":1441910600,
    "nbf":1441909000,
    "sub":"bdc@example.net",
    "scope":"orders profile history"
  }
</sourcecode>
          </figure>
        </section>
        <section anchor="ImpersonationResponse" numbered="true" toc="include" removeInRFC="false" pn="section-a.1.3">
          <name slugifiedName="name-token-exchange-response-2">Token Exchange Response</name>
          <t pn="section-a.1.3-1">
  The <tt>access_token</tt> parameter of the token exchange
  response shown below contains the new token that the client requested.
  The other parameters of the response indicate that the token is a bearer access token
  that expires in an hour.
</t>
          <figure anchor="ImpersonationResponseEx" align="left" suppress-title="false" pn="figure-12">
            <name slugifiedName="name-token-exchange-response-3">Token Exchange Response</name>
            <artwork name="" type="" align="left" alt="" pn="section-a.1.3-2.1">
 HTTP/1.1 200 OK
 Content-Type: application/json
 Cache-Control: no-cache, no-store

 {
  "access_token":"eyJhbGciOiJFUzI1NiIsImtpZCI6IjcyIn0.eyJhdWQiOiJ1cm4
    6ZXhhbXBsZTpjb29wZXJhdGlvbi1jb250ZXh0IiwiaXNzIjoiaHR0cHM6Ly9hcy5l
    eGFtcGxlLmNvbSIsImV4cCI6MTQ0MTkxMzYxMCwic3ViIjoiYmRjQGV4YW1wbGUub
    mV0Iiwic2NvcGUiOiJvcmRlcnMgcHJvZmlsZSBoaXN0b3J5In0.rMdWpSGNACTvnF
    uOL74sYZ6MVuld2Z2WkGLmQeR9ztj6w2OXraQlkJmGjyiCq24kcB7AI2VqVxl3wSW
    nVKh85A",
  "issued_token_type":
    "urn:ietf:params:oauth:token-type:access_token",
  "token_type":"Bearer",
  "expires_in":3600
 }
</artwork>
          </figure>
        </section>
        <section anchor="ImpersonationIssuedClaims" numbered="true" toc="include" removeInRFC="false" pn="section-a.1.4">
          <name slugifiedName="name-issued-token-claims">Issued Token Claims</name>
          <t pn="section-a.1.4-1">
  The decoded JWT Claims Set of the issued token is shown below. The new JWT is
  issued by the authorization server and intended for consumption by a system entity
  known by the logical name <tt>urn:example:cooperation-context</tt>
  any time before its expiration.
  The subject (<tt>sub</tt>) of the JWT
  is the same as the subject the token used to make the request,
  which effectively enables the client to impersonate that subject
  at the system entity known by the logical name of
  <tt>urn:example:cooperation-context</tt> by using the token.
</t>
          <figure anchor="ImpersonationIssuedClaimsEx" align="left" suppress-title="false" pn="figure-13">
            <name slugifiedName="name-issued-token-claims-2">Issued Token Claims</name>
            <sourcecode type="json" markers="false" pn="section-a.1.4-2.1">
  {
    "aud":"urn:example:cooperation-context",
    "iss":"https://as.example.com",
    "exp":1441913610,
    "sub":"bdc@example.net",
    "scope":"orders profile history"
  }
</sourcecode>
          </figure>
        </section>
      </section>
      <section anchor="DelegationExample" numbered="true" toc="include" removeInRFC="false" pn="section-a.2">
        <name slugifiedName="name-delegation-token-exchange-e">Delegation Token Exchange Example</name>
        <section anchor="DelegationRequest" numbered="true" toc="include" removeInRFC="false" pn="section-a.2.1">
          <name slugifiedName="name-token-exchange-request-4">Token Exchange Request</name>
          <t pn="section-a.2.1-1">
        In the following token exchange request, a client is requesting a token
        and providing both a <tt>subject_token</tt> and an <tt>actor_token</tt>.
        The client tells the authorization server that it needs a token for use at
        the target service with the logical name
	<tt>urn:example:cooperation-context</tt>. Policy at the
        authorization server dictates that the issued token be a composite.
          </t>
          <figure anchor="DelegationRequestEx" align="left" suppress-title="false" pn="figure-14">
            <name slugifiedName="name-token-exchange-request-5">Token Exchange Request</name>
            <artwork name="" type="" align="left" alt="" pn="section-a.2.1-2.1">
 POST /as/token.oauth2 HTTP/1.1
 Host: as.example.com
 Content-Type: application/x-www-form-urlencoded

 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
 &amp;audience=urn%3Aexample%3Acooperation-context
 &amp;subject_token=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.eyJhdWQiOiJodHRwc
   zovL2FzLmV4YW1wbGUuY29tIiwiaXNzIjoiaHR0cHM6Ly9vcmlnaW5hbC1pc3N1ZXI
   uZXhhbXBsZS5uZXQiLCJleHAiOjE0NDE5MTAwNjAsInNjb3BlIjoic3RhdHVzIGZlZ
   WQiLCJzdWIiOiJ1c2VyQGV4YW1wbGUubmV0IiwibWF5X2FjdCI6eyJzdWIiOiJhZG1
   pbkBleGFtcGxlLm5ldCJ9fQ.4rPRSWihQbpMIgAmAoqaJojAxj-p2X8_fAtAGTXrvM
   xU-eEZHnXqY0_AOZgLdxw5DyLzua8H_I10MCcckF-Q_g
 &amp;subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt
 &amp;actor_token=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.eyJhdWQiOiJodHRwczo
   vL2FzLmV4YW1wbGUuY29tIiwiaXNzIjoiaHR0cHM6Ly9vcmlnaW5hbC1pc3N1ZXIuZ
   XhhbXBsZS5uZXQiLCJleHAiOjE0NDE5MTAwNjAsInN1YiI6ImFkbWluQGV4YW1wbGU
   ubmV0In0.7YQ-3zPfhUvzje5oqw8COCvN5uP6NsKik9CVV6cAOf4QKgM-tKfiOwcgZ
   oUuDL2tEs6tqPlcBlMjiSzEjm3yBg
 &amp;actor_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt
</artwork>
          </figure>
        </section>
        <section anchor="DelegationSubjectClaims" numbered="true" toc="include" removeInRFC="false" pn="section-a.2.2">
          <name slugifiedName="name-subject-token-claims-3">Subject Token Claims</name>
          <t pn="section-a.2.2-1">
        The <tt>subject_token</tt> in the prior request is a JWT, and
        the decoded JWT Claims Set is shown here. The JWT is
        intended for consumption by the authorization server
        before a specific expiration time.
	The subject of the JWT
	(<tt>user@example.net</tt>) is
	the party on behalf of whom the new token is being requested.
          </t>
          <figure anchor="DelegationSubjectClaimsEx" align="left" suppress-title="false" pn="figure-15">
            <name slugifiedName="name-subject-token-claims-4">Subject Token Claims</name>
            <sourcecode type="json" markers="false" pn="section-a.2.2-2.1">
  {
    "aud":"https://as.example.com",
    "iss":"https://original-issuer.example.net",
    "exp":1441910060,
    "scope":"status feed",
    "sub":"user@example.net",
    "may_act":
    {
      "sub":"admin@example.net"
    }
  }
</sourcecode>
          </figure>
        </section>
        <section anchor="DelegationActorClaims" numbered="true" toc="include" removeInRFC="false" pn="section-a.2.3">
          <name slugifiedName="name-actor-token-claims">Actor Token Claims</name>
          <t pn="section-a.2.3-1">
        The <tt>actor_token</tt> in the prior request is a JWT, and
        the decoded JWT Claims Set is shown here. This JWT is also
        intended for consumption by the authorization server
        before a specific expiration time.
	The subject of the JWT
	(<tt>admin@example.net</tt>) is
	the actor that will wield the security token being requested.
          </t>
          <figure anchor="DelegationActorClaimsEx" align="left" suppress-title="false" pn="figure-16">
            <name slugifiedName="name-actor-token-claims-2">Actor Token Claims</name>
            <sourcecode type="json" markers="false" pn="section-a.2.3-2.1">
  {
    "aud":"https://as.example.com",
    "iss":"https://original-issuer.example.net",
    "exp":1441910060,
    "sub":"admin@example.net"
  }
</sourcecode>
          </figure>
        </section>
        <section anchor="DelegationResponse" numbered="true" toc="include" removeInRFC="false" pn="section-a.2.4">
          <name slugifiedName="name-token-exchange-response-4">Token Exchange Response</name>
          <t pn="section-a.2.4-1">
        The <tt>access_token</tt> parameter of the token exchange
        response shown below contains the new token that the client requested.
        The other parameters of the response indicate that the token is a JWT
	that expires in an hour and that the access token type is not applicable
	since the issued token is not an access token.
          </t>
          <figure anchor="DelegationResponseEx" align="left" suppress-title="false" pn="figure-17">
            <name slugifiedName="name-token-exchange-response-5">Token Exchange Response</name>
            <artwork name="" type="" align="left" alt="" pn="section-a.2.4-2.1">
 HTTP/1.1 200 OK
 Content-Type: application/json
 Cache-Control: no-cache, no-store

 {
  "access_token":"eyJhbGciOiJFUzI1NiIsImtpZCI6IjcyIn0.eyJhdWQiOiJ1cm4
    6ZXhhbXBsZTpjb29wZXJhdGlvbi1jb250ZXh0IiwiaXNzIjoiaHR0cHM6Ly9hcy5l
    eGFtcGxlLmNvbSIsImV4cCI6MTQ0MTkxMzYxMCwic2NvcGUiOiJzdGF0dXMgZmVlZ
    CIsInN1YiI6InVzZXJAZXhhbXBsZS5uZXQiLCJhY3QiOnsic3ViIjoiYWRtaW5AZX
    hhbXBsZS5uZXQifX0.3paKl9UySKYB5ng6_cUtQ2qlO8Rc_y7Mea7IwEXTcYbNdwG
    9-G1EKCFe5fW3H0hwX-MSZ49Wpcb1SiAZaOQBtw",
  "issued_token_type":"urn:ietf:params:oauth:token-type:jwt",
  "token_type":"N_A",
  "expires_in":3600
 }
</artwork>
          </figure>
        </section>
        <section anchor="DelegationIssuedClaims" numbered="true" toc="include" removeInRFC="false" pn="section-a.2.5">
          <name slugifiedName="name-issued-token-claims-3">Issued Token Claims</name>
          <t pn="section-a.2.5-1">
        The decoded JWT Claims Set of the issued token is shown below. The new JWT is
        issued by the authorization server and intended for consumption by a system entity
        known by the logical name
	<tt>urn:example:cooperation-context</tt>
	any time before its expiration.
        The subject (<tt>sub</tt>)
  of the JWT
	is the same as the subject of
	the <tt>subject_token</tt> used to make the request.
  The actor (<tt>act</tt>) of the JWT is the same as the subject
	of the <tt>actor_token</tt> used to make the request.

        This indicates delegation and identifies
	<tt>admin@example.net</tt> as the current actor to whom authority
        has been delegated to act on behalf of <tt>user@example.net</tt>.
          </t>
          <figure anchor="DelegationIssuedClaimsEx" align="left" suppress-title="false" pn="figure-18">
            <name slugifiedName="name-issued-token-claims-4">Issued Token Claims</name>
            <sourcecode type="json" markers="false" pn="section-a.2.5-2.1">
  {
    "aud":"urn:example:cooperation-context",
    "iss":"https://as.example.com",
    "exp":1441913610,
    "scope":"status feed",
    "sub":"user@example.net",
    "act":
    {
      "sub":"admin@example.net"
    }
  }
</sourcecode>
          </figure>
        </section>
      </section>
    </section>
    <section anchor="Acknowledgements" numbered="false" toc="include" removeInRFC="false" pn="section-appendix.b">
      <name slugifiedName="name-acknowledgements">Acknowledgements</name>
      <t pn="section-appendix.b-1">
        This specification was developed within the OAuth Working Group, which
        includes dozens of active and dedicated participants.
        It was produced under the chairmanship of
        <contact fullname="Hannes Tschofenig"/>, <contact fullname="Derek  Atkins"/>, and <contact fullname="Rifaat Shekh-Yusef"/>,
        with <contact fullname="Kathleen Moriarty"/>, <contact fullname="Stephen  Farrell"/>, <contact fullname="Eric Rescorla"/>, <contact fullname="Roman  Danyliw"/>, and <contact fullname="Benjamin Kaduk"/> serving as
        Security Area Directors.
      </t>
      <t pn="section-appendix.b-2">
        The following individuals contributed ideas, feedback, and wording
	to this specification:
	<contact fullname="Caleb Baker"/>,
  <contact fullname="Vittorio Bertocci"/>,
        <contact fullname="Mike Brown"/>,
  <contact fullname="Thomas Broyer"/>,
        <contact fullname="Roman Danyliw"/>,
	<contact fullname="William Denniss"/>,
  <contact fullname="Vladimir Dzhuvinov"/>,
        <contact fullname="Eric Fazendin"/>,
	<contact fullname="Phil Hunt"/>,
  <contact fullname="Benjamin Kaduk"/>,
	<contact fullname="Jason Keglovitz"/>,
  <contact fullname="Torsten Lodderstedt"/>,
        <contact fullname="Barry Leiba"/>,
  <contact fullname="Adam Lewis"/>,
  <contact fullname="James Manger"/>,
  <contact fullname="Nov Matake"/>,
	<contact fullname="Matt Miller"/>,
        <contact fullname="Hilarie Orman"/>,
	<contact fullname="Matthew Perry"/>,
  <contact fullname="Eric Rescorla"/>,
	<contact fullname="Justin Richer"/>,
<contact fullname="Adam Roach"/>,
  <contact fullname="Rifaat Shekh-Yusef"/>,
	<contact fullname="Scott Tomilson"/>,
	and
        <contact fullname="Hannes Tschofenig"/>.
      </t>
    </section>
    <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.c">
      <name slugifiedName="name-authors-addresses">Authors' Addresses</name>
      <author fullname="Michael B. Jones" initials="M." surname="Jones">
        <organization showOnFrontPage="true">Microsoft</organization>
        <address>
          <email>mbj@microsoft.com</email>
          <uri>https://self-issued.info/</uri>
        </address>
      </author>
      <author fullname="Anthony Nadalin" initials="A." surname="Nadalin">
        <organization showOnFrontPage="true">Microsoft</organization>
        <address>
          <email>tonynad@microsoft.com</email>
        </address>
      </author>
      <author fullname="Brian Campbell" initials="B." surname="Campbell" role="editor">
        <organization showOnFrontPage="true">Ping Identity</organization>
        <address>
          <email>brian.d.campbell@gmail.com</email>
        </address>
      </author>
      <author fullname="John Bradley" initials="J." surname="Bradley">
        <organization showOnFrontPage="true">Yubico</organization>
        <address>
          <email>ve7jtb@ve7jtb.com</email>
        </address>
      </author>
      <author fullname="Chuck Mortimore" initials="C." surname="Mortimore">
        <organization abbrev="Visa" showOnFrontPage="true">Visa</organization>
        <address>
          <email>chuck.mortimore@visa.com</email>
        </address>
      </author>
    </section>
  </back>
</rfc>