Do you mean different requests should have the same jti value for better security?
It is not good that RFC 7662 has chosen "jti" as a property to hold the identifier for an access/refresh token although the format of introspection responses is not JWT but just JSON. If the name were, for instance, "token_id" or something similar, the problem we are discussing now would not happen. Because "jti" has a special meaning in JWT and draft-ietf-oauth-jwt-introspection-response tries to return introspection responses in JWT format, the problem occurs. Not only "jti" but also other properties defined in RFC 7662 that have special meanings in JWT (that is, "jti", "exp", "iat", "nbf", "sub", "aud" and "iss") may have problems, too. The namespaces should be separated as you suggested "underlying_access_token", but because not only access tokens but also refresh tokens may be passed to the introspection endpoint, a better name should be chosen. Taka On Tue, Mar 3, 2020 at 1:55 AM Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > > > > Am 02.03.2020 um 17:52 schrieb Takahiko Kawasaki <t...@authlete.com>: > > > > The requirement for "jti" described > > in draft-ietf-oauth-jwt-introspection-response-08 is problematic. > > I think having different jti values for different requests is a security > risk.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth