roles
Registry Context
`roles` conveys role membership or similar authorization information in a JWT access token using the SCIM User schema attribute defined by RFC 7643.
Technical Summary
RFC 9068 recommends using the SCIM User schema `roles` attribute as a claim type for relevant authorization attributes and encoding its value according to RFC 7643 guidance.
When Used
When an authorization server includes resource-owner role membership relevant to the resource being accessed in a JWT access token.
Normative Requirements
Authorization servers
RFC 9068 - Section 2.2.3.1
encode the corresponding claim values according to RFC 7643 guidance.
Condition: when using these SCIM attributes as claim types
SHOULD encode the corresponding claim values according to the guidance defined in [RFC7643]
An authorization server wanting to include such authorization attributes in a JWT access token
RFC 9068 - Section 2.2.3.1
use the `groups`, `roles`, and `entitlements` attributes of the RFC 7643 User resource schema as claim types.
SHOULD use the "groups", "roles", and "entitlements" attributes
Validation Guidance
When an authorization server includes role authorization attributes in a JWT access token, verify that it uses the RFC 7643 User schema `roles` attribute as the claim type.
Verify that the `roles` claim value is encoded according to RFC 7643 guidance.
Reference
Details
- Entry Id
roles- Claim Name
roles- Claim Description
Roles- Change Controller
IETF- Reference
RFC7643 - Section 4.1.2, RFC9068 - Section 2.2.3.1