oauth2.dev

entitlements

IETF

Registry Context

The `entitlements` JWT claim conveys entitlements assigned to a resource owner for the targeted resource.

Technical Summary

RFC 9068 registers `entitlements` as a JWT claim and recommends using the corresponding SCIM User resource attribute as the claim type for authorization attributes outside delegation scenarios. Its value is encoded according to RFC 7643 guidance.

When Used

When an authorization server includes entitlements known for the resource owner and relevant to the targeted resource in a JWT access token.

Normative Requirements

Authorization servers

SHOULD
2

  1. RFC 9068 - Section 2.2.3.1

    use the `entitlements` attribute of the SCIM User resource schema as a claim type.

    Condition: when including authorization attributes outside delegation scenarios in a JWT access token

    SHOULD use the "groups", "roles", and "entitlements" attributes

  2. RFC 9068 - Section 2.2.3.1

    encode the `entitlements` claim value according to the guidance in RFC 7643.

    Condition: when including the claim in a JWT access token

    SHOULD encode the corresponding claim values according to the guidance defined in [RFC7643]

Validation Guidance

warning

When an `entitlements` claim is present for authorization attributes outside delegation scenarios, verify that it represents the SCIM User `entitlements` attribute.

warning

Verify that the `entitlements` claim value follows the applicable RFC 7643 encoding guidance.

Reference

RFC7643 - Section 4.1.2 RFC9068 - Section 2.2.3.1

Details

Entry Id
entitlements
Claim Name
entitlements
Claim Description
Entitlements
Change Controller
IETF
Reference
RFC7643 - Section 4.1.2, RFC9068 - Section 2.2.3.1