As discussed during the working group meeting, I agree with the people who
spoke up saying that they believe that trying to over-generalize the JWT
introspection response mechanism to cover all OAuth interactions would be
reaching too far. There are differences in the characteristics of the
different OAuth endpoints (authorization, token, introspection, AS metadata,
dynamic registration, etc.) that would have to be accounted for, including the
likelihood that different keys and algorithms would be appropriate in the
different contexts, different client authentication methods would be needed,
etc.
Let's do one thing well. Not create something that's extra-complicated without
any clear use cases for doing so.
-- Mike
-----Original Message-----
From: OAuth <oauth-boun...@ietf.org> On Behalf Of Torsten Lodderstedt
Sent: Monday, November 5, 2018 1:33 PM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Generalizing draft-ietf-oauth-jwt-introspection-response-01
Hi all,
as mentioned during the presentation this morning, I would like to get a
feeling what the working groups thinks about generalizing
draft-ietf-oauth-jwt-introspection-response-01 to a mechanism supporting
requesting and providing JWT responses from the different OAuth endpoints, such
as token, revocation, client registration, and introspection.
Please share your thoughts on the list.
Thanks in advance,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
