Hi WG. draft-ietf-oauth-jwt-introspection-response-10 proposes to return signed JWTs as a response from the introspection endpoint... which is making me wonder if there are any particular reasons to not avail JSON Web Signature (JWS) Unencoded Payload Option (RFC 7797) and the X-JWS-SIGNATURE HTTP header in order to achieve the same goals?
Pros would be 1. a token introspection response remains to be exactly the same as it was before with an exception for a JWT in the X-JWS-SIGNATURE HTTP header (where a detached payload is the actual token introspection response) 2. the AS can safely enable it for all responses from the introspection endpoint so clients who don't require or just aren't aware of this header will continue to work as before and accordingly, the clients who require some stronger assurance will require and check a JWT in X-JWS-SIGNATURE HTTP header 3. the same approach could also work for other endpoints such as the revocation and OIDC UserInfo endpoints What do you think? Regards, Andrii
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
