> Am 20.07.2018 um 16:06 schrieb Anthony Nadalin > <tonynad=40microsoft....@dmarc.ietf.org>: > > I’m concerned over the security implications of a client being able to > introspect a token, for bearer tokens this can be very problematic, so unless > the issues with possible token theft can be addressed I don’t support this as > a WG draft
Hi Tony, I think this an issue for introspection in general and not specific to our extension. If the token content needs to be kept confidential then the AS MUST authenticate the caller of the Introspection endpoint and apply an suitable authz policy. This is possible with Token Introspection and with our draft as well. Additionally, our draft allows to encrypt the token response, adding an extra layer of defense. kind regards, Torsten. > > From: OAuth <oauth-boun...@ietf.org> On Behalf Of Rifaat Shekh-Yusef > Sent: Thursday, July 19, 2018 10:44 AM > To: oauth <oauth@ietf.org> > Subject: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token > Introspection" > > Hi all, > > This is the call for adoption of the 'JWT Response for OAuth Token > Introspection' document following the presentation by Torsten at the Montreal > IETF meeting where we didn't have a chance to do a call for adoption in the > meeting itself. > > Here is presentation by Torsten: > https://datatracker.ietf.org/meeting/102/materials/slides-102-oauth-sessa-jwt-response-for-oauth-token-introspection-00 > > Here is the document: > https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-01 > > Please let us know by August 2nd whether you accept / object to the adoption > of this document as a starting point for work in the OAuth working group. > > Regards, > Hannes & Rifaat > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth