I agree with Dick’s observation about the privacy implications of using an
Introspection Endpoint. That’s why it’s preferable to not use one at all and
instead directly have the Resource understand the Access Token. One way of
doing this is the JWT Access Token spec. There are plenty of others.
The downsides of using an Introspection Endpoint should be described in the
Privacy Considerations section.
-- Mike
From: OAuth <[email protected]> On Behalf Of Dick Hardt
Sent: Wednesday, August 26, 2020 9:52 AM
To: Torsten Lodderstedt <[email protected]>
Cc: [email protected]; oauth <[email protected]>
Subject: Re: [OAUTH-WG] Last Call:
<draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth
Token Introspection) to Proposed Standard
On Wed, Aug 26, 2020 at 4:37 AM Torsten Lodderstedt
<[email protected]<mailto:[email protected]>>
wrote:
Hi Denis,
> On 25. Aug 2020, at 16:55, Denis
> <[email protected]<mailto:[email protected]>> wrote:
> The fact that the AS will know exactly when the introspection call has been
> made and thus be able to make sure which client
> has attempted perform an access to that RS and at which instant of time. The
> use of this call allows an AS to track where and when
> its clients have indeed presented an issued access token.
That is a fact. I don’t think it is an issue per se. Please explain the privacy
implications.
As I see it, the privacy implication is that the AS knows when the client (and
potentially the user) is accessing the RS, which is also an indication of when
the user is using the client.
I think including this implication would be important to have in a Privacy
Considerations section.
/Dick
ᐧ
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
