As I see it, there are two different kinds of standardization for introspection
that could occur. One is defining a standard endpoint for doing introspection
on an access token and possibly refresh token. The other is defining standard
contents to be returned from the introspection.
I’m skeptical of the standard contents, given that access tokens and refresh
tokens are intentionally opaque. Implementations could range from being an
integer index into a database table, to being a UUID to being an encrypted JWT
with context-specific claims. I don’t see anything in common in those
implementations for introspection to return.
While I can see marginal utility to having a common endpoint and request
syntax, I would be against trying to standardize the contents of what an
introspection request might return. It’s as deployment-specific as the access
token representation itself.
-- Mike
From: OAuth [mailto:[email protected]] On Behalf Of Paul Madsen
Sent: Tuesday, July 29, 2014 2:48 AM
To: Phil Hunt
Cc: [email protected]
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token
Introspection" as an OAuth Working Group Item
Standardized Introspection will be valuable in NAPPS, where the AS and RS may
be in different policy domains.
Even for single policy domains, there are enterprise scenarios where the RS is
from a different vendor than the AS, such as when an API gateway validates
tokens issued by an 'IdP' . We've necessarily defined our own introspection
endpoint and our gateway partners have implemented it, (at the instruction of
the customer in question). But of course it's proprietary to us.
Paul
On Jul 28, 2014, at 8:59 PM, Phil Hunt
<[email protected]<mailto:[email protected]>> wrote:
That doesn’t explain the need for inter-operability. What you’ve described is
what will be common practice.
It’s a great open source technique, but that’s not a standard.
JWT is much different. JWT is a foundational specification that describes the
construction and parsing of JSON based tokens. There is inter-op with token
formats that build on top and there is inter-op between every communicating
party.
In OAuth, a site may never implement token introspection nor may it do it the
way you describe. Why would that be a problem? Why should the group spend
time on something where there may be no inter-op need.
Now that said, if you are in the UMA community. Inter-op is quite
foundational. It is very very important. But then maybe the spec should be
defined within UMA?
Phil
@independentid
www.independentid.com<http://www.independentid.com>
[email protected]<mailto:[email protected]>
On Jul 28, 2014, at 5:39 PM, Justin Richer
<[email protected]<mailto:[email protected]>> wrote:
It's analogous to JWT in many ways: when you've got the AS and the RS separated
somehow (different box, different domain, even different software vendor) and
you need to communicate a set of information about the approval delegation from
the AS (who has the context to know about it) through to the RS (who needs to
know about it to make the authorization call). JWT gives us an interoperable
way to do this by passing values inside the token itself, introspection gives a
way to pass the values by reference via the token as an artifact. The two are
complementary, and there are even cases where you'd want to deploy them
together.
-- Justin
On 7/28/2014 8:11 PM, Phil Hunt wrote:
Could we have some discussion on the interop cases?
Is it driven by scenarios where AS and resource are separate domains? Or may
this be only of interest to specific protocols like UMA?
From a technique principle, the draft is important and sound. I am just not
there yet on the reasons for an interoperable standard.
Phil
On Jul 28, 2014, at 17:00, Thomas Broyer
<[email protected]<mailto:[email protected]>> wrote:
Yes. This spec is of special interest to the platform we're building for
http://www.oasis-eu.org/
On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig
<[email protected]<mailto:[email protected]>> wrote:
Hi all,
during the IETF #90 OAuth WG meeting, there was strong consensus in
adopting the "OAuth Token Introspection"
(draft-richer-oauth-introspection-06.txt) specification as an OAuth WG
work item.
We would now like to verify the outcome of this call for adoption on the
OAuth WG mailing list. Here is the link to the document:
http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion
as to the suitability of adopting this document as a WG work item,
please send mail to the OAuth WG list indicating your opinion (Yes/No).
The confirmation call for adoption will last until August 10, 2014. If
you have issues/edits/comments on the document, please send these
comments along to the list in your response to this Call for Adoption.
Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
--
Thomas Broyer
/tɔ.ma.bʁwa.je/<http://xn--nna.ma.xn--bwa-xxb.je/>
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
