Hi Torsten, Sorry for the delayed response, but since I was explicitly listed in the "To:" field I expect the response is still of interest. On Wed, Mar 04, 2020 at 05:19:13PM +0100, Torsten Lodderstedt wrote: > Hi all, > > based on the recent feedback, Vladimir and I propose the following changes to > draft-ietf-oauth-jwt-introspection-response: > > - the token data are encapsulated in a container element “_token_data” > - beyond this, the top-level container only contains meta data pertinent to > the JWT representing the signed (encrypted) introspection response > - we need to add text to the spec to point out that replay detection must be > based on the jti in the “_token_data” container not the top level claim
I think this sort of thing will resolve the fundamental issues quite well. (I want to say I had listed it as a potential option some months ago, but don't have the time to go look in the archives and check.) I see there's still some discussion ongoing about specifics, which is fine; I expect we will still end up in a good place. -Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth