I think I proposed that as a posable optimization a long time ago. I think at the time JWT was a ways from being finished and people didn’t want to take a dependency on it. The flow was left so it could be a future option. I don’t think that there is a security issue, but it is probably two or more years since I thought about it. Perhaps George or someone else remembers more about the discussion at the time. John B.
On Oct 1, 2015, at 10:11 AM, Mike Schwartz <mike@gluu.org> wrote:
UMA-tarians,
One of Gluu's customers has proposed using a JWT as the RPT token signed by the AS to avoid the call to the introspection API (for better performance). It didn't seem like a horrible idea, or anything that would break the security. Any thoughts? Am I wrong--is there some inherent security advantage to calling the introspection API?
- Mike
------------------------------------- Michael Schwartz Gluu Founder / CEO _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma