Perhaps we should consider leaving the root level JWT claims as-is per JWT and push the introspection response unmodified as if it was regular json response to a JWT claim called "introspection". Since regular introspection uses the same claim names as JWT this would get around all the conflicts.
Last time i brought it up the authors didn't want to consider it because of existing implementations. S pozdravem, *Filip Skokan* On Mon, 2 Mar 2020 at 07:52, Takahiko Kawasaki <[email protected]> wrote: > Thank you, Tatsuo Kudo, for showing me that Justin Richer expressed the > same concerns in this mailing list about 6 months ago (on Sep. 4, 2019). > RFC 8707 didn't exist then, though. > > *Re: [OAUTH-WG] Question regarding > draft-ietf-oauth-jwt-introspection-response-05* > https://mailarchive.ietf.org/arch/msg/oauth/LmMAxd35gW5Yox0j4MmU2rI_eUA/ > > A JWT puts both (a) information about itself and (b) other data in its > payload part. When the "other data" have the same claim names as are used > to express information about the JWT itself, conflicts happen. > > Also, it should be noted that Ben pointed out in other thread that the > requirement for "jti" in draft-ietf-oauth-jwt-introspection-response, which > says "jti" is a unique identifier for the access token that MUST be stable > for all introspection calls, contradicts the definition of "jti", which > should be unique for each JWT. > > *Re: [OAUTH-WG] Benjamin Kaduk's Discuss on > draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)* > https://mailarchive.ietf.org/arch/msg/oauth/S4q7cF0TMZMzFO61I5M4QXCUWCM/ > > draft-ietf-oauth-jwt-introspection-response needs to be modified to solve > the conflicts. > > Taka > > On Sun, Mar 1, 2020 at 4:10 PM Takahiko Kawasaki <[email protected] > <[email protected]>> wrote: > >> Hello, >> >> I'm wondering if the following conflicts in "JWT Response for OAuth Token >> Introspection" (draft 8 >> <https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08>) >> have already been pointed out. >> >> RFC 8707 <https://tools.ietf.org/html/rfc8707> (Resource Indicators for >> OAuth 2.0) requires that 'aud' in an introspection response hold the values >> of the 'resource' request parameters, whereas "JWT Response for OAuth Token >> Introspection" says that 'aud' MUST identify the resource server receiving >> the token introspection response. The definitions conflict. >> >> RFC 7662 <https://tools.ietf.org/html/rfc7662> (OAuth 2.0 Token >> Introspection) requires that 'iat' in an introspection response indicate >> when the access/refresh token was issued, whereas "JWT Response for OAuth >> Token Introspection" says that 'iat' indicates when the introspection >> response in JWT format was issued. The definitions conflict. >> >> Best Regards, >> Takahiko Kawasaki >> Authlete, Inc. >> >> >> >> _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
