Hello, Le 20-10-04 à 11 h 27, Thomas Broyer a écrit :
> There might be some kind of pushed events between the AS and the RS when > a JWT AT is revoked, to allow the RS not to introspect a JWT AT at all. > Like this, the RS knows if a JWT AT has been revoked or not. > > > If there are some kind of pushed events between the AS and the RS, then > it could push the revoked (and/or expired) opaque AT too, giving almost > no advantage to JWT ATs. > Not necessarily, let's say the AS informs the RS only of the revoked ATs, when a RS checks an AT, it verifies the signature first, then the claims, then checks if the AT has been revoked by checking its internal list filled by the AS pushed events. In this model, considering that token revocations don't happen a lot, the ratio revoked AT/valid AT is very low, so the advantage of a JWT is important, because it means not so much communication between the AS and the RSs, and a very reliable AT. But this means a communication mechanism that isn't standardized yet. /Nicolas _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
