But if you want to handle revocation (and you do), then the alternative is short-lived access tokens with frequent refreshing, which also informs the AS of activity. So is this any better?
If an org running an RS decides to use a 3rd-party AS (eg cloud hosted) then there are privacy implications to that arrangement, regardless of the specific technology used for token validation. > On 26 Aug 2020, at 22:16, Mike Jones > <[email protected]> wrote: > > > I agree with Dick’s observation about the privacy implications of using an > Introspection Endpoint. That’s why it’s preferable to not use one at all and > instead directly have the Resource understand the Access Token. One way of > doing this is the JWT Access Token spec. There are plenty of others. > > The downsides of using an Introspection Endpoint should be described in the > Privacy Considerations section. > > -- Mike > > From: OAuth <[email protected]> On Behalf Of Dick Hardt > Sent: Wednesday, August 26, 2020 9:52 AM > To: Torsten Lodderstedt <[email protected]> > Cc: [email protected]; oauth <[email protected]> > Subject: Re: [OAUTH-WG] Last Call: > <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth > Token Introspection) to Proposed Standard > > > > On Wed, Aug 26, 2020 at 4:37 AM Torsten Lodderstedt > <[email protected]> wrote: > Hi Denis, > > > On 25. Aug 2020, at 16:55, Denis <[email protected]> wrote: > > > The fact that the AS will know exactly when the introspection call has been > > made and thus be able to make sure which client > > has attempted perform an access to that RS and at which instant of time. > > The use of this call allows an AS to track where and when > > its clients have indeed presented an issued access token. > > That is a fact. I don’t think it is an issue per se. Please explain the > privacy implications. > > As I see it, the privacy implication is that the AS knows when the client > (and potentially the user) is accessing the RS, which is also an indication > of when the user is using the client. > > I think including this implication would be important to have in a Privacy > Considerations section. > > /Dick > ᐧ > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
