Re: [WG-UMA] Use signed JWT as RPT?

I think I proposed that as a posable optimization a long time ago. I think at the time JWT was a ways from being finished and people didn’t want to take a dependency on it. The flow was left so it could be a future option. I don’t think that there is a security issue, but it is probably two or more years since I thought about it. Perhaps George or someone else remembers more about the discussion at the time. John B.

On Oct 1, 2015, at 10:11 AM, Mike Schwartz wrote:

UMA-tarians,

One of Gluu's customers has proposed using a JWT as the RPT token signed by the AS to avoid the call to the introspection API (for better performance). It didn't seem like a horrible idea, or anything that would break the security. Any thoughts? Am I wrong--is there some inherent security advantage to calling the introspection API?

- Mike

------------------------------------- Michael Schwartz Gluu Founder / CEO _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma