Yes indeed a nice job !!!!.
I have one question on the RFC.
Not sure where I can submit request for comments. Hence, adding to this email
thread
In the use-case mentioned belowThe following is a non-normative example
response for a token that
has been revoked or is otherwise invalid:
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": false
}
Where the token is revoked or invalid, why not send a HTTP response code of 400
There are 2 benefits for the same.A. Just looking at the header, we know that
token validation didn't went through. No need to look in the payload. This is
especially very helpful in gateway design implementation.
B. You are further hiding from the user why the request failed and not letting
him know if the token was processed by the server.
CheersVivek
From: Kathleen Moriarty <[email protected]>
To: Hannes Tschofenig <[email protected]>
Cc: "<[email protected]>" <[email protected]>
Sent: Wednesday, October 21, 2015 4:47 AM
Subject: Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspection
Yes, nice job!
Sent from my iPhone
> On Oct 21, 2015, at 4:20 AM, Hannes Tschofenig <[email protected]>
> wrote:
>
> Thank you Justin for the hard work!
>
>> On 10/20/2015 06:32 PM, Justin Richer wrote:
>> Thank you to everyone who helped make token introspection into a real
>> standard!
>>
>> — Justin
>>
>>> On Oct 19, 2015, at 6:56 PM, [email protected] wrote:
>>>
>>> A new Request for Comments is now available in online RFC libraries.
>>>
>>>
>>> RFC 7662
>>>
>>> Title: OAuth 2.0 Token Introspection
>>> Author: J. Richer, Ed.
>>> Status: Standards Track
>>> Stream: IETF
>>> Date: October 2015
>>> Mailbox: [email protected]
>>> Pages: 17
>>> Characters: 36591
>>> Updates/Obsoletes/SeeAlso: None
>>>
>>> I-D Tag: draft-ietf-oauth-introspection-11.txt
>>>
>>> URL: https://www.rfc-editor.org/info/rfc7662
>>>
>>> DOI: http://dx.doi.org/10.17487/RFC7662
>>>
>>> This specification defines a method for a protected resource to query
>>> an OAuth 2.0 authorization server to determine the active state of an
>>> OAuth 2.0 token and to determine meta-information about this token.
>>> OAuth 2.0 deployments can use this method to convey information about
>>> the authorization context of the token from the authorization server
>>> to the protected resource.
>>>
>>> This document is a product of the Web Authorization Protocol Working Group
>>> of the IETF.
>>>
>>> This is now a Proposed Standard.
>>>
>>> STANDARDS TRACK: This document specifies an Internet Standards Track
>>> protocol for the Internet community, and requests discussion and suggestions
>>> for improvements. Please refer to the current edition of the Official
>>> Internet Protocol Standards (https://www.rfc-editor.org/standards) for the
>>> standardization state and status of this protocol. Distribution of this
>>> memo is unlimited.
>>>
>>> This announcement is sent to the IETF-Announce and rfc-dist lists.
>>> To subscribe or unsubscribe, see
>>> https://www.ietf.org/mailman/listinfo/ietf-announce
>>> https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist
>>>
>>> For searching the RFC series, see https://www.rfc-editor.org/search
>>> For downloading RFCs, see https://www.rfc-editor.org/rfc.html
>>>
>>> Requests for special distribution should be addressed to either the
>>> author of the RFC in question, or to [email protected]. Unless
>>> specifically noted otherwise on the RFC itself, all RFCs are for
>>> unlimited distribution.
>>>
>>>
>>> The RFC Editor Team
>>> Association Management Solutions, LLC
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> [email protected]
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
