Hi all, I have an use case where I would like to return signed JWTs from the authorization server’s introspection endpoint. In this case, I would like to give the resource server evidence about the fact the AS minted the access token and is liable for its contents (verified person data used to create a qualified electronic signature).
Although token introspection more or less provides the RS with the content of a JWT, RFC 7662 only supports plain JSON. I talked to Justin and his recommendation was to use use a header “accept: application/jwt” to ask the AS for a signed JWT as response instead of "application/json“. We could do this but clearly it would be a proprietary solution. I would like to know whether anyone else has the same or similar requirements and whether it would make sense to specify an extension to RFC 7662 for JWT responses. I’m looking forward to get you feedback. kind regards, Torsten.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
