Hello, I'm wondering if the following conflicts in "JWT Response for OAuth Token Introspection" (draft 8 <https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08>) have already been pointed out.
RFC 8707 <https://tools.ietf.org/html/rfc8707> (Resource Indicators for OAuth 2.0) requires that 'aud' in an introspection response hold the values of the 'resource' request parameters, whereas "JWT Response for OAuth Token Introspection" says that 'aud' MUST identify the resource server receiving the token introspection response. The definitions conflict. RFC 7662 <https://tools.ietf.org/html/rfc7662> (OAuth 2.0 Token Introspection) requires that 'iat' in an introspection response indicate when the access/refresh token was issued, whereas "JWT Response for OAuth Token Introspection" says that 'iat' indicates when the introspection response in JWT format was issued. The definitions conflict. Best Regards, Takahiko Kawasaki Authlete, Inc.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
