hi Sergey, just my 2 cents let’s start from a simple fact that encryption is not authentication. :)
Now, if the claim sets of a JWS contains only not confidential information JWS is enough. See also inline On Feb 23, 2016, at 6:15 PM, Sergey Beryozkin <sberyoz...@gmail.com> wrote: > Hi > > Some OAuth2 providers may return self-contained access tokens which are JWS > Compact-encoded. > I wonder is it really a good idea and would it not be better to only > JWE-encrypt the tokens. I'm not sure JWS signing the claims is necessarily > faster then only encrypting the claims, assuming the symmetric algorithms are > used in both cases. JWE algorithms are all AEAD AFAIK so is not only symmetric encryption plus there is the content key "wrap algorithm”. regards antonio > > For example, my colleague and myself, while dealing with the issue related to > parsing an access token response from a 3rd party provider were able to > easily check the content of the JWS-signed access_token by simply submitting > an easily recognized JWS Compact-formatted value (3 dots) into our JWS reader > - we did not have to worry about decrypting it neither the fact we did not > validate the signature mattered. > > But access tokens are opaque values as far as the clients are concerned and > if the introspection is needed then the introspection endpoint does exist for > that purpose... > > Thanks, Sergey > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
