Hi
Some OAuth2 providers may return self-contained access tokens which are
JWS Compact-encoded.
I wonder is it really a good idea and would it not be better to only
JWE-encrypt the tokens. I'm not sure JWS signing the claims is
necessarily faster then only encrypting the claims, assuming the
symmetric algorithms are used in both cases.
For example, my colleague and myself, while dealing with the issue
related to parsing an access token response from a 3rd party provider
were able to easily check the content of the JWS-signed access_token by
simply submitting an easily recognized JWS Compact-formatted value (3
dots) into our JWS reader - we did not have to worry about decrypting it
neither the fact we did not validate the signature mattered.
But access tokens are opaque values as far as the clients are concerned
and if the introspection is needed then the introspection endpoint does
exist for that purpose...
Thanks, Sergey
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
