README

这实现了RFC 7521中描述的assertion授权。目标是足够灵活，以支持JWT（RFC 7523）或SAML（RFC 7522）断言。

https://www.rfc-editor.org/rfc/rfc7521

这受到了PMG的https://www.pmg.com/alli平台的一些需求以及一些来自google的先例的启发。

客户端认证

RFCs 7523和7522对此进行了开放性讨论

JWT authorization grants may be used with or without client
authentication or identification.  Whether or not client
authentication is needed in conjunction with a JWT authorization
grant, as well as the supported types of client authentication, are
policy decisions at the discretion of the authorization server.
However, if client credentials are present in the request, the
authorization server MUST validate them.

如果请求中存在client_id（在请求体中的Authorization头中），则使用正常的客户端验证方法。如果客户端是保密的，则需要客户端密钥。

如果不存在client_id，则将断言发行者视为OAuth客户端ID。

作用域

scope可以作为常规请求参数发送，但RFC 7521有如下说明

The requested scope as described in Section 3.3 of
OAuth 2.0 [RFC6749].  When exchanging assertions for access
tokens, the authorization for the token has been previously
granted through some out-of-band mechanism.  As such, the
requested scope MUST be equal to or less than the scope originally
granted to the authorized accessor.  The authorization server MUST
limit the scope of the issued access token to be equal to or less
than the scope originally granted to the authorized accessor.

因此，断言在带外被验证。断言后端返回一个具有允许作用域的Assertion实现。

如果调用者尝试请求断言允许作用域之外的作用域，则将返回错误。

断言发行者

断言发行者被视为OAuth客户端标识符。

断言主体

断言主体在此库中被视为用户标识符。没有为客户端凭据提供便利，因为那更适合与具有client_assertion系统的client_credentials授权一起使用。