What we've done in deployments is to combine JWT and introspection. You
have all of your servers issue signed JWTs that include the "iss"
(issuer) in the body, signed with the key of the AS. The tokens also
include a random "jti" field. The RS submits the token to the
introspection endpoint of the server identified in "iss", but only after
validating the signature and other basic bits of information. If the
introspection call comes back positive (and with the right scope,
client, and resource owner information), the resource is served.
-- Justin
On 3/11/2016 10:02 PM, Takahiko Kawasaki wrote:
Hello,
I have a question.
If there exist multiple authorization servers that can issue access
tokens for one resource server, when the resource server receives an
access token from a client application, as the first step, the
resource server has to determine which authorization server to use for
access token introspection.
Is there any standard way to determine which authorization server to use?
There may be several ways, for example:
(1) Embed information about the access token issuer in the access token.
(2) Add a request parameter to identify the access token issuer.
(3) Separate protected resource endpoints for each authorization server.
If there is a standard way, I'd like to know it.
Best Regards,
Takahiko Kawasaki
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
