That doesn’t explain the need for inter-operability. What you’ve described is what will be common practice.
It’s a great open source technique, but that’s not a standard. JWT is much different. JWT is a foundational specification that describes the construction and parsing of JSON based tokens. There is inter-op with token formats that build on top and there is inter-op between every communicating party. In OAuth, a site may never implement token introspection nor may it do it the way you describe. Why would that be a problem? Why should the group spend time on something where there may be no inter-op need. Now that said, if you are in the UMA community. Inter-op is quite foundational. It is very very important. But then maybe the spec should be defined within UMA? Phil @independentid www.independentid.com [email protected] On Jul 28, 2014, at 5:39 PM, Justin Richer <[email protected]> wrote: > It's analogous to JWT in many ways: when you've got the AS and the RS > separated somehow (different box, different domain, even different software > vendor) and you need to communicate a set of information about the approval > delegation from the AS (who has the context to know about it) through to the > RS (who needs to know about it to make the authorization call). JWT gives us > an interoperable way to do this by passing values inside the token itself, > introspection gives a way to pass the values by reference via the token as an > artifact. The two are complementary, and there are even cases where you'd > want to deploy them together. > > -- Justin > > On 7/28/2014 8:11 PM, Phil Hunt wrote: >> Could we have some discussion on the interop cases? >> >> Is it driven by scenarios where AS and resource are separate domains? Or may >> this be only of interest to specific protocols like UMA? >> >> From a technique principle, the draft is important and sound. I am just not >> there yet on the reasons for an interoperable standard. >> >> Phil >> >> On Jul 28, 2014, at 17:00, Thomas Broyer <[email protected]> wrote: >> >>> Yes. This spec is of special interest to the platform we're building for >>> http://www.oasis-eu.org/ >>> >>> >>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig >>> <[email protected]> wrote: >>> Hi all, >>> >>> during the IETF #90 OAuth WG meeting, there was strong consensus in >>> adopting the "OAuth Token Introspection" >>> (draft-richer-oauth-introspection-06.txt) specification as an OAuth WG >>> work item. >>> >>> We would now like to verify the outcome of this call for adoption on the >>> OAuth WG mailing list. Here is the link to the document: >>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/ >>> >>> If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion >>> as to the suitability of adopting this document as a WG work item, >>> please send mail to the OAuth WG list indicating your opinion (Yes/No). >>> >>> The confirmation call for adoption will last until August 10, 2014. If >>> you have issues/edits/comments on the document, please send these >>> comments along to the list in your response to this Call for Adoption. >>> >>> Ciao >>> Hannes & Derek >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> >>> -- >>> Thomas Broyer >>> /tɔ.ma.bʁwa.je/ >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
