Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-15 Thread Vladimir Dzhuvinov
RFC 7662 is not explicit on the refresh token "aud". Omitting the "aud" value or setting it to the AS, the ultimate consumer, appears valid here. Vladimir On 11/02/2021 23:47, Andrii Deinega wrote: > Hi Vladimir, > > What would be a value in the aud claim for refresh tokens? > > Regards, > Andrii

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-11 Thread Andrii Deinega
Hi Vladimir, What would be a value in the aud claim for refresh tokens? Regards, Andrii On Tue, Feb 9, 2021 at 3:06 AM Vladimir Dzhuvinov wrote: > Hi Warren, > On 08/02/2021 17:59, Warren Parad wrote: > > None of that justified explicitly stating that refresh token introspection > shouldn't b

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-09 Thread Vladimir Dzhuvinov
Hi Warren, On 08/02/2021 17:59, Warren Parad wrote: > None of that justified explicitly stating that refresh token > introspection shouldn't be done. At best it suggests that we should > explicitly add language in the draft to directly encourage it. Did you mean discourage? > But if an AS wants

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-08 Thread Warren Parad
None of that justified explicitly stating that refresh token introspection shouldn't be done. At best it suggests that we should explicitly add language in the draft to directly encourage it. But if an AS wants to support it, we shouldn't stop them, or suggest that they can't do it. Allowing refre

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-08 Thread Vladimir Dzhuvinov
At first it may appear that allowing refresh tokens at the introspection endpoint may be a logical thing to do, but in practice there are issues with that and from an OAuth 2.x perspective it's not easy to justify. If the point is to let clients check what authorization they have been given OAuth

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-08 Thread Warren Parad
It doesn't work that way. You suggested to add language to the draft, that means the burden of proof is on you to justify adding it. Otherwise I could just say why not? And I can go stronger, what's the purpose of nho introspection endpoint at all, and why encourage sending access tokens to the A

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-07 Thread Torsten Lodderstedt
> Am 08.02.2021 um 00:56 schrieb Warren Parad : > >  >> I‘m therefore leaning towards explicitly stating in our draft that it is not >> intended to be used with refresh tokens. > I'm not following, why explicitly state that it isn't intended. If an AS > wants to provide a similar JSON respons

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-07 Thread Warren Parad
> > I‘m therefore leaning towards explicitly stating in our draft that it is > not intended to be used with refresh tokens. I'm not following, why explicitly state that it isn't intended. If an AS wants to provide a similar JSON response to a query with the refresh token, why not encourage that?

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-07 Thread Torsten Lodderstedt
Hi Andrii, > Am 07.02.2021 um 21:30 schrieb Andrii Deinega : > >  > Hi Torsten, > > thank you for your response. > > My use case is pretty straight forward > > An OAuth client queries the AS to determine the active state of an access > token and gets the introspection response which indicate

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-07 Thread Andrii Deinega
Hi Torsten, thank you for your response. My use case is pretty straight forward An OAuth client queries the AS to determine the active state of an access token and gets the introspection response which indicates that this access token is active (using RFC7662). An OAuth client queries the AS to

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-07 Thread Torsten Lodderstedt
Hi Andrii, thanks for your post. The draft is intended to provide AS and RS with a solution to exchange signed (and optionally encrypted) token introspection responses in order to provide stronger assurance among those parties. This is important in use cases where the RS acts upon the introsp

[OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

2021-02-06 Thread Andrii Deinega
Hi WG, draft-ietf-oauth-jwt-introspection-response-10 states that "OAuth 2.0 Token Introspection [RFC7662] specifies a method for a protected resource to query an OAuth 2.0 authorization server to determine the state of an access token and obtain data associated with the access token." which is tr