Hello, interesting thread, thanks.
Assuming the scopes are included in the token, the main purpose of call to the introspection endpoint is to ensure the token hasn't been revoked? We are considering a deployment where a RS can trust multiple AS, and having a JWT as access token, with issuer, scopes and basic identity information included seems to solve our issues. Thanks, Andrea 2016-03-13 9:03 GMT+08:00 Justin Richer <jric...@mit.edu>: > What we've done in deployments is to combine JWT and introspection. You > have all of your servers issue signed JWTs that include the "iss" (issuer) > in the body, signed with the key of the AS. The tokens also include a > random "jti" field. The RS submits the token to the introspection endpoint > of the server identified in "iss", but only after validating the signature > and other basic bits of information. If the introspection call comes back > positive (and with the right scope, client, and resource owner > information), the resource is served. > > -- Justin > > > On 3/11/2016 10:02 PM, Takahiko Kawasaki wrote: > > Hello, > > I have a question. > > If there exist multiple authorization servers that can issue access tokens > for one resource server, when the resource server receives an access token > from a client application, as the first step, the resource server has to > determine which authorization server to use for access token introspection. > > Is there any standard way to determine which authorization server to use? > > There may be several ways, for example: > > (1) Embed information about the access token issuer in the access token. > (2) Add a request parameter to identify the access token issuer. > (3) Separate protected resource endpoints for each authorization server. > > If there is a standard way, I'd like to know it. > > Best Regards, > Takahiko Kawasaki > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
