Re: [OAUTH-WG] JWT & Token Introspection Relationship

Thu, 28 Feb 2013 08:58:48 -0800 

Hannes,
The main issue here is that JWT has been built to be used for things other than OAuth tokens (assertions, for instance), and that the introspection endpoint is very specifically tied to OAuth. At Torsten's suggestion, I've tried to align the output of the introspection endpoint to the appropriate claims from a JWT field, but this is a case of making the syntax match and not a normative tie in. JWT has no place for "client_id" or "scope", which I think are vital for the token introspection. 


This endpoint is not simply about unpacking information that's already 
contained in a token for clients that don't want to parse the token 
themselves, it's about providing metadata that the server has about the 
token and its surrounding grant/session to the requestor. The normal 
requestor, in my view, is going to be an RS, but it can really be anyone 
who has the permission to do so.


 -- Justin

On 02/28/2013 05:37 AM, Hannes Tschofenig wrote:

Hi Mike, Hi Justin,

when I looked at the JWT and the draft-richer-oauth-introspection documents I 
noticed that the two are not aligned (neither from the fields that are 
supported nor from the way how the fields are defined).

IMHO  draft-richer-oauth-introspection must not define new elements since those 
are already defined in the JWT.

You could compare the relationship between the JWT and the 
draft-richer-oauth-introspection in the following way:

The JWT passes the content per value from the AS via the client to the RS.
The draft-richer-oauth-introspection passes a reference to the content from the 
AS via the client to the RS and since the RS ultimately needs to know the 
content it has to resolve the reference so that it gets the content.

Therefore, the content (the different JSON encoded structures) should only be 
defined once and could then be used in both specs.

Ciao
Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to