[OAUTH-WG] Token Introspection and JWTs
Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 28 February 2018 07:48 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE304124207 for <oauth@ietfa.amsl.com>; Tue, 27 Feb 2018 23:48:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eymsMxggNvS3 for <oauth@ietfa.amsl.com>; Tue, 27 Feb 2018 23:48:52 -0800 (PST)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73A37120725 for <oauth@ietf.org>; Tue, 27 Feb 2018 23:48:52 -0800 (PST)
Received: from [46.183.103.8] (helo=[172.16.241.143]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <torsten@lodderstedt.net>) id 1eqwUL-0000Us-Pn; Wed, 28 Feb 2018 08:49:22 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_839077D9-49B7-46F4-906A-016FC8169ECF"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Message-Id: <74F11CBE-5ED8-4B2C-B219-F9036E07B3B9@lodderstedt.net>
Date: Wed, 28 Feb 2018 08:48:33 +0100
To: oauth <oauth@ietf.org>
X-Mailer: Apple Mail (2.3445.5.20)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NuoT_NupVIKOozuVIJEqJSdE_mk>
Subject: [OAUTH-WG] Token Introspection and JWTs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 07:48:55 -0000
Hi all, I have an use case where I would like to return signed JWTs from the authorization server’s introspection endpoint. In this case, I would like to give the resource server evidence about the fact the AS minted the access token and is liable for its contents (verified person data used to create a qualified electronic signature). Although token introspection more or less provides the RS with the content of a JWT, RFC 7662 only supports plain JSON. I talked to Justin and his recommendation was to use use a header “accept: application/jwt” to ask the AS for a signed JWT as response instead of "application/json“. We could do this but clearly it would be a proprietary solution. I would like to know whether anyone else has the same or similar requirements and whether it would make sense to specify an extension to RFC 7662 for JWT responses. I’m looking forward to get you feedback. kind regards, Torsten.
- [OAUTH-WG] Token Introspection and JWTs Torsten Lodderstedt
- Re: [OAUTH-WG] Token Introspection and JWTs Vladimir Dzhuvinov
- Re: [OAUTH-WG] Token Introspection and JWTs Mark Dobrinic
- Re: [OAUTH-WG] Token Introspection and JWTs Vladimir Dzhuvinov
- Re: [OAUTH-WG] Token Introspection and JWTs Mark Dobrinic