Hi WG, https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-10 provides the flowing about JWT access tokens
“resource servers can consume them directly for authorization or other purposes without any further round trips to introspection ( [RFC7662]) or userinfo [OpenID.Core]) endpoints.” which is completely understandable. I do understand that the objective of this document is to standardize the token which the AS shares with the RS as it was discussed in other email threads. Here is what I would like to get a better understanding of: 1. How should a response of the introspection endpoint look like if the RS makes an attempt to introspect a JWT access token? 2. How should a response of the OpenID Connect userinfo endpoint look like for a JWT access token? I assume that it’s expected to have no difference compared to a regular bearer token (given that a particular implementation of the AS provides these endpoints). Does it sound right? If so, what are we going to get if the RS or the client revokes a valid JWT access token using the revocation endpoint (RFC 7009)? Do you think there is a need to add more detailed information about these scenarios in the document? This way, we could refer back to these sections in the documentation in case any disputes around security-related topics come up. Thank you. Regards, Andrii
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
