Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection

Torsten Lodderstedt <> Mon, 02 March 2020 13:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C69B93A0C37 for <>; Mon, 2 Mar 2020 05:54:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O8h7Di2LcFQp for <>; Mon, 2 Mar 2020 05:54:30 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AF30F3A0C36 for <>; Mon, 2 Mar 2020 05:54:29 -0800 (PST)
Received: by with SMTP id z12so11275290wmi.4 for <>; Mon, 02 Mar 2020 05:54:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5O7s4ExhP4Wvq/Tk3v+w1jNy8MVRbq4UVj9eoHHnOX8=; b=FNzMXw28kkLOXEtP7wuzPryWDGJFKx5vG9zK4TJlKlQ5/6dn7HjzoKmVqrCwpXEgNN 8YhDvjU0wOpNmmCNVyWUtzF6sPM/K5221YqF78Hb32Uaf4u56UPFtcR44Pb5zNK2sRhy Zo371Ve+KcxBEFMRasEMzGtEeq/oZEr3Iiec3rqEtOKGq68mBIW9lX4wPT+OEerxcQwm YAiQtmJiqqwXv/jKSnO2Y2NBFbstunefgt7tohllV1xh+BD0DSFsaqe4rI0mymgdWeov ESGlZzseH/QgVYI6zuSuc8rxn6XJ/XkCVf5CSEAyKrgN9IDWpx5polulI+u8yf5BN2Q0 aGig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5O7s4ExhP4Wvq/Tk3v+w1jNy8MVRbq4UVj9eoHHnOX8=; b=LJovcZ9YfVqsiiF03+JoO86p+RDrQ6qMpe5ZfqHTC5c28psqlSnpn/WCY6QjoA6tsH +NFvU9ofOVfDIWCjMccK9OPUXEJTYn7umnfs8+v0XIooVRrvlqSeIq2MkS6MRmi7WDVk nZViPMduWp8jHAuUAkR7GfX+J96PNnQal/7RqRLiAQBugHPVzAQbXJcEnAo1v5HZY+Tn 3FwCHneumDA1t/kj9GwVFDsoWF4vyPnVui0hCIKVLu070gt2qaCMNJoVnDSSQvHkBlLN zBEq13LvvyzsDWUVFn6znsy7hCR9Uldy7H3T5RsjfLX3krpdvk6OVnff5Fykk3DpvgRz U66w==
X-Gm-Message-State: APjAAAUqVtdBLrWafbC2hrG0NSBI1xlCW0I9k+0LcRoqG1YQ4jgrFHVA nsSEc1+Un2RM5HgQK9oXRt3U9Pfs/mSIYg==
X-Google-Smtp-Source: APXvYqwcTdvAbNhZP3Gr527YdCt/aCA9WifFp1mGFiY1rekEGQQd+7PI6wYr7LaglCEZe1zalyWtPw==
X-Received: by 2002:a1c:6507:: with SMTP id z7mr14011999wmb.10.1583157268084; Mon, 02 Mar 2020 05:54:28 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id f16sm19029651wrx.25.2020. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Mar 2020 05:54:27 -0800 (PST)
From: Torsten Lodderstedt <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_EEFEB02D-D71F-4E51-AFE8-41272959BA5D"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.\))
Date: Mon, 02 Mar 2020 14:54:26 +0100
In-Reply-To: <>
Cc: oauth <>
To: Takahiko Kawasaki <>
References: <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 02 Mar 2020 13:54:32 -0000

Hi Taka, 

> On 1. Mar 2020, at 08:10, Takahiko Kawasaki <> wrote:
> Hello,
> I'm wondering if the following conflicts in "JWT Response for OAuth Token Introspection" (draft 8) have already been pointed out.
> RFC 8707 (Resource Indicators for OAuth 2.0) requires that 'aud' in an introspection response hold the values of the 'resource' request parameters, whereas "JWT Response for OAuth Token Introspection" says that 'aud' MUST identify the resource server receiving the token introspection response. The definitions conflict.

RFC 8707 states 

The authorization server may use
   the exact "resource" value as the audience or it may map from that
   value to a more general URI or abstract identifier for the given

draft-ietf-oauth-jwt-introspection-response-08 states

The value of the "aud" claims MUST identify the resource server
   receiving the token introspection response.

So RFC 8707 gives choices of how the resource server might be identified and draft-ietf-oauth-jwt-introspection-response-08 says the AS must identify the RS without prescribing any particular way. So basically you can use the advice given by  RFC 8707 to implement the requirement stated by draft-ietf-oauth-jwt-introspection-response-08.

I don’t see a conflict. 

> RFC 7662 (OAuth 2.0 Token Introspection) requires that 'iat' in an introspection response indicate when the access/refresh token was issued, whereas "JWT Response for OAuth Token Introspection" says that 'iat' indicates when the introspection response in JWT format was issued. The definitions conflict.

I will come back to this issue in an answer to Filip’s post.

best regards,

> Best Regards,
> Takahiko Kawasaki
> Authlete, Inc.
> _______________________________________________
> OAuth mailing list