> In this model, considering that token revocations don't happen a lot...
Just a brief note, a secure piece of software makes the logout feature prominent. Every logout event should trigger token revocation. I’m mentioning this because a lot of OAuth solutions in the mobile space literally ignore the logout event, such as Facebook’s mobile OAuth solution. - Jim > On Oct 4, 2020, at 6:55 AM, Nicolas Mora <nico...@babelouest.org> wrote: > > Hello, > >> Le 20-10-04 à 11 h 27, Thomas Broyer a écrit : >> >> There might be some kind of pushed events between the AS and the RS when >> a JWT AT is revoked, to allow the RS not to introspect a JWT AT at all. >> Like this, the RS knows if a JWT AT has been revoked or not. >> >> >> If there are some kind of pushed events between the AS and the RS, then >> it could push the revoked (and/or expired) opaque AT too, giving almost >> no advantage to JWT ATs. >> > Not necessarily, let's say the AS informs the RS only of the revoked > ATs, when a RS checks an AT, it verifies the signature first, then the > claims, then checks if the AT has been revoked by checking its internal > list filled by the AS pushed events. > > In this model, considering that token revocations don't happen a lot, > the ratio revoked AT/valid AT is very low, so the advantage of a JWT is > important, because it means not so much communication between the AS and > the RSs, and a very reliable AT. > > But this means a communication mechanism that isn't standardized yet. > > /Nicolas > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
