oauth2.dev

act

IESG

Registry Context

The `act` claim identifies the current actor in a JWT that expresses delegation. For access control, a token consumer must consider only the token's top-level claims and the current actor; nested `act` claims identify prior actors and are informational only.

Technical Summary

The `act` claim value is a JSON object containing claims that identify and may provide additional information about the actor. The outermost `act` identifies the current actor, while nested `act` claims record prior actors in a delegation chain.

When Used

Used in a JWT to express that delegation has occurred and identify the acting party to whom authority was delegated. It can also be included as a top-level member of an OAuth token introspection response with the same semantics and format.

Normative Requirements

consumer of a token

MUST
1
  1. RFC 8693 - Section 4.1

    consider only the token's top-level claims and the party identified as the current actor by the `act` claim.

    Condition: when applying access control policy

    MUST only consider the token's top-level claims and the party identified as the current actor

Validation Guidance

error

When applying access control policy, use only the token's top-level claims and the current actor identified by the outermost `act` claim; do not consider prior actors in nested `act` claims.

error

If `act` is present, verify that its value is a JSON object containing claims that identify the actor.

warning

Do not interpret non-identity claims such as `exp`, `nbf`, or `aud` within an `act` object as affecting the containing JWT's validity.

Security Notes

RFC 8693 - Section 4.1

Prior actors identified by nested `act` claims are informational only and are not considered in access control decisions.

RFC 8693 - Section 4.1

Claims within `act` pertain only to actor identity. Non-identity claims such as `exp`, `nbf`, and `aud` are not meaningful within `act` and are not used.

Reference

Details

Entry Id
act
Claim Name
act
Claim Description
Actor
Change Controller
IESG
Reference
RFC8693 - Section 4.1