- changed title to oauth2 Profile - 3.2.1 @torsten comment
oauth2 Profile - 3.2.1 @torsten comment [clarify methods to determine JWT security characteristics]
"In order to facilitate interoperability with multiple protected resources, all iGov-compliant authorization servers issue cryptographically signed tokens in the JSON Web Token (JWT) format.“
How does JWT facilitate interop with multiple RSs? I mean I know how JWT facilitates interop in general, but I don’t understand the meaning of the „multiple“ in this sentence. Is the client supposed to use the token to interact with multiple RSs?
„The information carried in the JWT is intended to allow a protected resource to quickly test the integrity of the token without additional network calls, and to allow the protected resource to determine which authorization server issued the token. When combined with discovery, this information is sufficient to programmatically locate the token introspection service, which is in turn used for conveying additional security information about the token.“
To me this reads like the RS is supposed to use introspection in addition to the JWT. Is that correct? Is this supposed to happen for any RS and every request?
Comments (8)
-
Account Deactivated reporter -
Linked to https://bitbucket.org/openid/igov/issues/14/oauth2-profile-32-torsten-comment
where the same answer can be applied
-
- marked as blocker
Changed to BLOCKER to filter for v1.05/Implementer’s draft.
-
Will delete “with protected resources”. Introspection is not required for every request.
-
Actually, remove “In order to facilitate interoperability with multiple protected resources” to address the first part of the issue
-
Change second sentence in second part of issue from “When combined with discovery, this information is sufficient to programmatically locate the token introspection service, which is in turn used for conveying additional security information about the token.“ to “The protected resource MAY use the authorization server token introspection service to retrieve additional security information about the token.”
-
- changed title to oauth2 Profile - 3.2.1 @torsten comment [clarify methods to determine JWT security characteristics]
-
- changed status to resolved
- Log in to comment