st
> on LinkedIn from my native LinkedIn app and the corresponding post will show
> up on twitter as well.
> Now, one might choose to *explicitly* tie tokens lifetime to originating
> sessions lifetime, see the discussion on the OpenID Connect group about a
> possible online_acce
ature, a quick google query will give you
> the full measure of the phenomenon, hence I think we’ll be OK with the
> current form.
>
> Cheers,
>
> V.
>
>
>
> *From:* Andrii Deinega
> *Sent:* Tuesday, October 6, 2020 2:25 PM
> *To:* vittorio.berto...@auth0.co
OK with the current form.
Cheers,
V.
From: Andrii Deinega
Sent: Tuesday, October 6, 2020 2:25 PM
To: vittorio.berto...@auth0.com; oauth@ietf.org
Cc: Jim Manico ; Nicolas Mora
Subject: Re: [OAUTH-WG] JWT access tokens and the revocation endpoint
Vittorio and WG,
Would it be possible
OAuth On Behalf Of Jim Manico
> Sent: Sunday, October 4, 2020 5:17 PM
> To: Nicolas Mora
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] JWT access tokens and the revocation endpoint
>
>> In this model, considering that token revocations don't happen a lot...
> Just a brief
tokens and the revocation endpoint
On Sun, Oct 4, 2020 at 6:55 PM Nicolas Mora mailto:nico...@babelouest.org> > wrote:
Hello,
Le 20-10-04 à 11 h 27, Thomas Broyer a écrit :
> There might be some kind of pushed events between the AS and the RS when
> a JWT AT is revoked,
s scope for influencing RTs and Ats (in particular, in the
context of SPAs) but that's additional semantic that isn’t defined today.
-Original Message-
From: OAuth On Behalf Of Jim Manico
Sent: Sunday, October 4, 2020 5:17 PM
To: Nicolas Mora
Cc: oauth@ietf.org
Subject: Re: [OAUTH-W
ober 4, 2020 5:17 PM
> To: Nicolas Mora
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] JWT access tokens and the revocation endpoint
>
> > In this model, considering that token revocations don't happen a lot...
>
> Just a brief note, a secure piece of software makes the
ing RTs and Ats (in particular, in the
context of SPAs) but that's additional semantic that isn’t defined today.
-Original Message-
From: OAuth On Behalf Of Jim Manico
Sent: Sunday, October 4, 2020 5:17 PM
To: Nicolas Mora
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] JWT access tokens
On Sun, Oct 4, 2020 at 6:55 PM Nicolas Mora wrote:
> Hello,
>
> Le 20-10-04 à 11 h 27, Thomas Broyer a écrit :
>
> > There might be some kind of pushed events between the AS and the RS
> when
> > a JWT AT is revoked, to allow the RS not to introspect a JWT AT at
> all.
> > Like this,
> In this model, considering that token revocations don't happen a lot...
Just a brief note, a secure piece of software makes the logout feature
prominent. Every logout event should trigger token revocation.
I’m mentioning this because a lot of OAuth solutions in the mobile space
literally igno
Hello,
Le 20-10-04 à 11 h 27, Thomas Broyer a écrit :
> There might be some kind of pushed events between the AS and the RS when
> a JWT AT is revoked, to allow the RS not to introspect a JWT AT at all.
> Like this, the RS knows if a JWT AT has been revoked or not.
>
>
> If there ar
Disclosure: I have not read the draft on JWT AT, those comments are based
only on my current knowledge of OAuth 2.0 / OpenID Connect, and JWT.
Le sam. 3 oct. 2020 à 19:18, Nicolas Mora a écrit :
> My 2 cents,
>
> Le 20-10-02 à 18 h 19, Andrii Deinega a écrit :
> >
> > Here is what I would like t
My 2 cents,
Le 20-10-02 à 18 h 19, Andrii Deinega a écrit :
>
> Here is what I would like to get a better understanding of:
> 1. How should a response of the introspection endpoint look like if the
> RS makes an attempt to introspect a JWT access token?
AFAIK, the RFC doesn't specify if the intr
Hi WG,
https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-10 provides
the flowing about JWT access tokens
“resource servers can consume them directly for authorization or other
purposes without any further round trips to introspection ( [RFC7662]) or
userinfo [OpenID.Core]) endpoints.”
14 matches
Mail list logo
