I’m concerned over the security implications of a client being able to introspect a token, for bearer tokens this can be very problematic, so unless the issues with possible token theft can be addressed I don’t support this as a WG draft
From: OAuth <oauth-boun...@ietf.org> On Behalf Of Rifaat Shekh-Yusef Sent: Thursday, July 19, 2018 10:44 AM To: oauth <oauth@ietf.org> Subject: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection" Hi all, This is the call for adoption of the 'JWT Response for OAuth Token Introspection' document following the presentation by Torsten at the Montreal IETF meeting where we didn't have a chance to do a call for adoption in the meeting itself. Here is presentation by Torsten: https://datatracker.ietf.org/meeting/102/materials/slides-102-oauth-sessa-jwt-response-for-oauth-token-introspection-00<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fmeeting%2F102%2Fmaterials%2Fslides-102-oauth-sessa-jwt-response-for-oauth-token-introspection-00&data=02%7C01%7Ctonynad%40microsoft.com%7C5bb4d12618944cc8da4b08d5ed9f386b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636676190478079368&sdata=wv8e%2FvGDm9LzeJaGrOBD8oGXgPSquNE%2BRKiEknF8sq4%3D&reserved=0> Here is the document: https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-01<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-lodderstedt-oauth-jwt-introspection-response-01&data=02%7C01%7Ctonynad%40microsoft.com%7C5bb4d12618944cc8da4b08d5ed9f386b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636676190478079368&sdata=cFISOVma8g%2BXdvf2KZdwCZBYlpfN%2FGb2knv8ZD9sKz4%3D&reserved=0> Please let us know by August 2nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group. Regards, Hannes & Rifaat
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
