oauth2.dev

act

IESG

Registry Context

Identifies the current actor in a delegation and has the same semantics and format as the JWT claim of the same name.

Technical Summary

`act` is a JSON object containing claims that identify, and may provide additional information about, the actor. Nested `act` objects represent prior actors in the delegation history.

When Used

When a token introspection response reports the current actor in a delegation.

Normative Requirements

token consumer

MUST
1
  1. RFC 8693 - Section 4.1

    Consider only the token's top-level claims and the party identified as the current actor by `act` when applying access-control policy..

    Condition: When applying access-control policy to a token containing an `act` claim.

    The consumer of a token MUST only consider the token's top-level claims and the party identified as the current actor by the act claim.

Validation Guidance

error

Verify that `act` is a JSON object whose members are claims identifying or providing additional information about the actor.

error

Verify that access-control decisions consider only top-level token claims and the current actor identified by the outermost `act`; nested prior actors must not influence those decisions.

warning

Do not interpret non-identity claims such as `exp`, `nbf`, or `aud` within `act` as affecting the validity of the containing token.

Security Notes

RFC 8693 - Section 4.1

Nested `act` claims identify prior actors and provide delegation history; they are informational only and are not considered in access-control decisions.

RFC 8693 - Section 4.1

Claims inside `act` pertain only to actor identity. Non-identity claims such as `exp`, `nbf`, and `aud` are not meaningful there and are not used.

Reference

Details

Entry Id
act
Name
act
Description
Actor
Change Controller
IESG
Reference
RFC8693 - Section 4.1