And now with the list copied...
-------- Original Message -------- Subject: Re: [OAUTH-WG] New Token Introspection Draft Date: Fri, 04 Jul 2014 07:50:18 -0400 From: Justin Richer <jric...@mit.edu> To: Nat Sakimura <sakim...@gmail.com> Interesting question. In my mental model of how this works, you're asking the same AS that issued the token, so the "iss" is kindof a given if the token is valid. Would there be a use for the server echoing that back explicitly? Would people be using an introspection server that can handle multiple issuers? I'm not against adding it, I simply didn't see a use for it. Another data point: In our deployments of this, we're actually sending out JWT formatted tokens that contain "iss" and a couple other fields. The clients who care to do so check the "iss" field and the signature themselves, but use introspection to find out which user this token was issued to, what scopes it has, and all that detailed info. Some RS's need it, some don't care. -- Justin On 7/4/2014 6:15 AM, Nat Sakimura wrote: > Thanks Justin. > > Is there any reason that there is no iss claim returned? > > =nat via iPhone > >> On Jul 4, 2014, at 9:10, Justin Richer <jric...@mit.edu> wrote: >> >> I’ve updated the token introspection draft with the intention that this >> document become input for a new working group item. >> >> http://tools.ietf.org/html/draft-richer-oauth-introspection-05 >> >> The changes are mostly minimal edits to the text and a few reference fixes. >> One bigger change is the addition of the “user_id” field in addition to the >> “sub” field, as I’ve been asked by some users to add that feature to our own >> implementation here. >> >> ― Justin >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
