This was the original requirement:
" multiple authorization servers that can issue access tokens for one
resource server, when the resource server receives an access token from
a client application, as the first step, the resource server has to
determine which authorization server to use for access token
introspection."
Not sure we're all on the same page after numerous responses...
So the fact that the token is an encrypted JWT is great... the question
is: who issued it? That's why I was thinking of a url encoded JWT with
the issuer + the encrypted token, such as {"iss":
"https://as.example.com";, "token": "(encrypted JTW)"}
- Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
