oauth2.dev

roles

IETF

Registry Context

`roles` conveys role membership or similar authorization information in a JWT access token using the SCIM User schema attribute defined by RFC 7643.

Technical Summary

RFC 9068 recommends using the SCIM User schema `roles` attribute as a claim type for relevant authorization attributes and encoding its value according to RFC 7643 guidance.

When Used

When an authorization server includes resource-owner role membership relevant to the resource being accessed in a JWT access token.

Normative Requirements

Authorization servers

SHOULD
1
  1. RFC 9068 - Section 2.2.3.1

    encode the corresponding claim values according to RFC 7643 guidance.

    Condition: when using these SCIM attributes as claim types

    SHOULD encode the corresponding claim values according to the guidance defined in [RFC7643]

An authorization server wanting to include such authorization attributes in a JWT access token

SHOULD
1
  1. RFC 9068 - Section 2.2.3.1

    use the `groups`, `roles`, and `entitlements` attributes of the RFC 7643 User resource schema as claim types.

    SHOULD use the "groups", "roles", and "entitlements" attributes

Validation Guidance

warning

When an authorization server includes role authorization attributes in a JWT access token, verify that it uses the RFC 7643 User schema `roles` attribute as the claim type.

warning

Verify that the `roles` claim value is encoded according to RFC 7643 guidance.

Reference

Details

Entry Id
roles
Claim Name
roles
Claim Description
Roles
Change Controller
IETF
Reference
RFC7643 - Section 4.1.2, RFC9068 - Section 2.2.3.1