I would argue that the issue raised was using incorrect terminology as well, since we have an RFC that claims the term in this space and context:

https://tools.ietf.org/html/rfc7662

Is this more limited than the dictionary definition? Yes, but this happens with terms all the time. “Token” is also defined in a lot of different ways but it means something very specific in this context, and using it to mean something else (that might otherwise be valid definition of token) is confusing in the OAuth/UMA/OIDC context. For a concrete example, FIDO and OAuth both have “tokens” but they mean very, very different things.

FWIW, I didn’t coin the term introspection, but a number of people were using it to describe this process when I pulled the original draft together. The idea was that the authorization server is being asked to look into its own internal state to figure out what the token is good for (introspect) and report on its findings, all via an API. That was reasonable enough, so I ran with it and the community accepted it. 

 — Justin

On Dec 28, 2015, at 3:24 PM, Mike Schwartz <mike@gluu.org> wrote:

I'm using jargon consistent with the issue that was raised a while back.

Google says introspection means:
"the examination or observation of one's own mental and emotional processes"

So I'm not sure the word really fits for either calling an API to get back a JWT, or decrypting it...

- Mike


On 2015-12-28 14:05, Justin Richer wrote:
I’m confused about something: How is this “introspection”? Isn’t this
just using a structure token (JWT)? You can use both together if you
like (MITREid Connect has been doing this for years and HEART requires
it), but you shouldn’t confuse a self-contained structured token (JWT)
with an online token verification and information service
(introspection).
— Justin
On Dec 28, 2015, at 3:00 PM, Mike Schwartz <mike@gluu.org> wrote:
UMA-tarians,
We added support in the Gluu Server for local token introspection.
A few notes are here:
https://github.com/GluuFederation/oxAuth/issues/111
We decided to use the same signing algorithm as was registered for the id_token signing in OpenID Connect dynamic client registration, and re-publish this info in the UMA discovery endpoint.
We also added a discovery value "rpt_as_jwt" to specify that local token introspection is in use.
Feedback is welcome... are we missing something?
- Mike

--
-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
mike@gluu.org