All the values in the token introspection response are optional, except for 
“active”. If you don’t have anything to say about a particular aspect of the 
token, or can’t say it to the software that’s asking, then you generally leave 
it out of the response.

 — Justin

> On Jan 16, 2016, at 11:02 AM, Vladimir Dzhuvinov <vladi...@connect2id.com> 
> wrote:
> 
> 
> 
> On 15/01/16 15:47, Sergey Beryozkin wrote:
>> Hi John
>> 
>> Thanks, looks like it was a last minute change because Introduction
>> does not explain why would clients want to use the introspection
>> endpoint to effectively 'unwrap' the opaque token representations.
>> 
>> I have another question. How to report the expiry time in cases when
>> the tokens do not expire ? I'm aware of some deployments where access
>> tokens are only manually deleted and otherwise would not expire.
>> 
>> Perhaps not reporting the expiry time is equivalent to the token never
>> expiring ? Or may be reporting 0 or -1 works ?
> 
> The core OAuth 2.0 spec seems to imply the former:
> 
> http://tools.ietf.org/html/rfc6749#section-5.1
> 
> Using a zero or negative integer may not be a good idea, as clients may
> just take the value as it is and add it to the current system time,
> concluding that the token has expired :)
> 
> 
> Cheers,
> 
> Vladimir
> 
> 
>> 
>> Thanks, Sergey
>> On 15/01/16 13:32, John Bradley wrote:
>>> Some people wanted the client to be able to use introspection.
>>> 
>>> The ability to pass a refresh token is a legacy of that.    A RS
>>> would never have a refresh token unless it is acting as a client.
>>> That is correct.
>>> 
>>> John B.
>>> 
>>>> On Jan 15, 2016, at 5:34 AM, Sergey Beryozkin <sberyoz...@gmail.com>
>>>> wrote:
>>>> 
>>>> Hi All,
>>>> 
>>>> I'm reviewing RFC 7622 as we are going ahead with implementing it.
>>>> I have a question:
>>>> 
>>>> 1. Token Hint in the introspection request.
>>>> The spec mentions 'refresh_token' as one of the possible values. But
>>>> a protected resource does not see a refresh token (ever ?), it is
>>>> Access Token service which does.
>>>> When would a protected resource use a 'refresh_token' hint when
>>>> requesting an introspection response ?
>>>> 
>>>> Thanks, Sergey
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> --
> Vladimir Dzhuvinov
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to