- changed title to oauth2 Profile - 3.2. @torsten comment
oauth2 Profile - 3.2. @torsten comment
Section describes use of JWTs and Introspection to convey token data. Are both mechanisms a mandatory to implement requirement for every iGov compliant AS? How is the AS supposed to determine what kind of token to issue for a particular token request?
Comments (8)
-
Account Deactivated reporter -
In the current text the introspection endpoint is OPTIONAL
AT in JWT format is a good solution for enabling some metadata in a token that otherwise would be opaque.
the value of having AT in JWT format is that on the basis of the claims contained therein, it may or may not be necessary to adopt introspection endpoints
having introspection as optional, only the JWT format gives the AT the minimum properties for good interoperability
-
- changed status to wontfix
-
- changed status to open
-
-
- marked as blocker
Changed to BLOCKER to filter for v1.05/Implementer’s draft.
-
JWTs are required and Introspection is not.
-
- changed status to resolved
JWTs are required, introspection is not (MAY)
- Log in to comment