On Sun, Mar 13, 2016 at 2:03 AM Justin Richer <jric...@mit.edu> wrote:

> What we've done in deployments is to combine JWT and introspection. You
> have all of your servers issue signed JWTs that include the "iss" (issuer)
> in the body, signed with the key of the AS. The tokens also include a
> random "jti" field. The RS submits the token to the introspection endpoint
> of the server identified in "iss", but only after validating the signature
> and other basic bits of information. If the introspection call comes back
> positive (and with the right scope, client, and resource owner
> information), the resource is served.
>

But you cannot force every AS to emit access tokens that are JWTs.
For those AS that won't, then the RS would probably have to provide
endpoints (token endpoints?), one per AS, where the client could exchange
an AT from the AS for an AT specific to the RS (using token exchange with
unauthenticated clients?)
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to