Extensibility of azd and rctx

[tulshi]

From Yaron's feedback email
extensibility: please say explicitly that arbitrary claims may be added to the "azd" (and "rctx"?) objects. There is no IANA registry for either. Note that having 3 predefined attributes complicates the situation a bit - what happens if we want a 4th one? Also mention that any additional attributes are local to the trust domain.

[tulshi]

TraTs are unique within a trust domain, so do we really need an IANA registry for this? We can add a statement that specifies we can add any sub claims appropriate for the specific trust domain.

[tulshi]

We need to add the azd, purp, and rctx claims to the JWT claims registry. A question we need to address is how the RAR authorization_details and azd claims differ / coexist. We should do a PR that describes this. We can bring this up as a question in Vancouver.

[yaronf]

Even within a trust domain we may want interoperability between multiple vendor solutions. And there will be token translation services that exchange/translate TraTs between trust domains. All of these would benefit from registering claims.

[tulshi]

I look forward to discussing this in Vancouver