There are companies doing token introspection by the client already, see https://backstage.forgerock.com/docs/am/6/oauth2-guide/#sec-standards
What security implications do you see? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Anthony Nadalin Sent: 20 July 2018 10:07 To: Rifaat Shekh-Yusef; oauth Subject: Re: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection" I’m concerned over the security implications of a client being able to introspect a token, for bearer tokens this can be very problematic, so unless the issues with possible token theft can be addressed I don’t support this as a WG draft From: OAuth <oauth-boun...@ietf.org> On Behalf Of Rifaat Shekh-Yusef Sent: Thursday, July 19, 2018 10:44 AM To: oauth <oauth@ietf.org> Subject: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection" Hi all, This is the call for adoption of the 'JWT Response for OAuth Token Introspection' document following the presentation by Torsten at the Montreal IETF meeting where we didn't have a chance to do a call for adoption in the meeting itself. Here is presentation by Torsten: https://datatracker.ietf.org/meeting/102/materials/slides-102-oauth-sessa-jwt-response-for-oauth-token-introspection-00<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fmeeting%2F102%2Fmaterials%2Fslides-102-oauth-sessa-jwt-response-for-oauth-token-introspection-00&data=02%7C01%7Ctonynad%40microsoft.com%7C5bb4d12618944cc8da4b08d5ed9f386b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636676190478079368&sdata=wv8e%2FvGDm9LzeJaGrOBD8oGXgPSquNE%2BRKiEknF8sq4%3D&reserved=0> Here is the document: https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-01<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-lodderstedt-oauth-jwt-introspection-response-01&data=02%7C01%7Ctonynad%40microsoft.com%7C5bb4d12618944cc8da4b08d5ed9f386b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636676190478079368&sdata=cFISOVma8g%2BXdvf2KZdwCZBYlpfN%2FGb2knv8ZD9sKz4%3D&reserved=0> Please let us know by August 2nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group. Regards, Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
