That doesn’t explain the need for inter-operability. What you’ve described is what will be common practice.
It’s a great open source technique, but that’s not a standard. JWT is much different. JWT is a foundational specification that describes the construction and parsing of JSON based tokens. There is inter-op with token formats that build on top and there is inter-op between every communicating party. In OAuth, a site may never implement token introspection nor may it do it the way you describe. Why would that be a problem? Why should the group spend time on something where there may be no inter-op need. Now that said, if you are in the UMA community. Inter-op is quite foundational. It is very very important. But then maybe the spec should be defined within UMA? Phil @independentid www.independentid.com phil.h...@oracle.com On Jul 28, 2014, at 5:39 PM, Justin Richer <jric...@mit.edu> wrote: > It's analogous to JWT in many ways: when you've got the AS and the RS > separated somehow (different box, different domain, even different software > vendor) and you need to communicate a set of information about the approval > delegation from the AS (who has the context to know about it) through to the > RS (who needs to know about it to make the authorization call). JWT gives us > an interoperable way to do this by passing values inside the token itself, > introspection gives a way to pass the values by reference via the token as an > artifact. The two are complementary, and there are even cases where you'd > want to deploy them together. > > -- Justin > > On 7/28/2014 8:11 PM, Phil Hunt wrote: >> Could we have some discussion on the interop cases? >> >> Is it driven by scenarios where AS and resource are separate domains? Or may >> this be only of interest to specific protocols like UMA? >> >> From a technique principle, the draft is important and sound. I am just not >> there yet on the reasons for an interoperable standard. >> >> Phil >> >> On Jul 28, 2014, at 17:00, Thomas Broyer <t.bro...@gmail.com> wrote: >> >>> Yes. This spec is of special interest to the platform we're building for >>> http://www.oasis-eu.org/ >>> >>> >>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig >>> <hannes.tschofe...@gmx.net> wrote: >>> Hi all, >>> >>> during the IETF #90 OAuth WG meeting, there was strong consensus in >>> adopting the "OAuth Token Introspection" >>> (draft-richer-oauth-introspection-06.txt) specification as an OAuth WG >>> work item. >>> >>> We would now like to verify the outcome of this call for adoption on the >>> OAuth WG mailing list. Here is the link to the document: >>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/ >>> >>> If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion >>> as to the suitability of adopting this document as a WG work item, >>> please send mail to the OAuth WG list indicating your opinion (Yes/No). >>> >>> The confirmation call for adoption will last until August 10, 2014. If >>> you have issues/edits/comments on the document, please send these >>> comments along to the list in your response to this Call for Adoption. >>> >>> Ciao >>> Hannes & Derek >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> >>> -- >>> Thomas Broyer >>> /tɔ.ma.bʁwa.je/ >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
