[OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-01.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 28 May 2018 16:59 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E71AF12D948 for <oauth@ietfa.amsl.com>; Mon, 28 May 2018 09:59:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id dzwmNEFjs3Kd for <oauth@ietfa.amsl.com>; Mon, 28 May 2018 09:59:01 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4145212D775 for <oauth@ietf.org>; Mon, 28 May 2018 09:59:01 -0700 (PDT)
Received: from [] (helo=[]) by smtprelay04.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1fNLU2-0004WB-FC for oauth@ietf.org; Mon, 28 May 2018 18:58:58 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_25579D68-0221-44B5-913B-86178DB425B0"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Message-Id: <4D24E05B-EDC1-458C-A106-662345090399@lodderstedt.net>
References: <152752608213.4961.1659822390005305046.idtracker@ietfa.amsl.com>
To: oauth <oauth@ietf.org>
Date: Mon, 28 May 2018 18:58:55 +0200
X-Mailer: Apple Mail (2.3445.6.18)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uObZpUWyPj7aezRXvapA4J0goGw>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 May 2018 16:59:05 -0000

Hi all, 

I just published a new revision of the JWT Introspection response draft. Based on the feedback in London, the draft entirely focuses on use cases where the RS requires stronger assurance that the respective AS issued the token, including cases where the AS assumes liability for the token’s content. 

We incorporated the following changes:
	• fixed typos in client meta data field names (thanks Petteri!)
	• added OAuth Server Metadata parameters to publish algorithms supported for signing and encrypting the introspection response
	• added registration of new parameters for OAuth Server Metadata and Client Registration
	• added explicit request for JWT introspection response
	• made iss and aud claims mandatory in introspection response (thanks Neil!)
	• Stylistic and clarifying edits, updates references

Thanks to all reviewers!

Vladimir and I are on the fence whether the Introspection Response format should be determined by the AS based on its policy and/or RS-related registration metadata or whether the RS should explicitly request a JWT response by including an Accept header „application/jwt“ in the respective request. 

What do you think?

kind regards,

> Anfang der weitergeleiteten Nachricht:
> Von: internet-drafts@ietf.org
> Betreff: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-01.txt
> Datum: 28. Mai 2018 um 18:48:02 MESZ
> An: "Vladimir Dzhuvinov" <vladimir@connect2id.com>om>, "Torsten Lodderstedt" <torsten@lodderstedt.net>
> A new version of I-D, draft-lodderstedt-oauth-jwt-introspection-response-01.txt
> has been successfully submitted by Torsten Lodderstedt and posted to the
> IETF repository.
> Name:		draft-lodderstedt-oauth-jwt-introspection-response
> Revision:	01
> Title:		JWT Response for OAuth Token Introspection
> Document date:	2018-05-28
> Group:		Individual Submission
> Pages:		10
> URL:            https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-01.txt
> Status:         https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/
> Htmlized:       https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-01
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-jwt-introspection-response-01
> Abstract:
>   This draft proposes an additional JSON Web Token (JWT) based response
>   for OAuth 2.0 Token Introspection.
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> The IETF Secretariat