Re: [WG-UMA] Local Token Introspection

I'm using jargon consistent with the issue that was raised a while back. Google says introspection means: "the examination or observation of one's own mental and emotional processes" So I'm not sure the word really fits for either calling an API to get back a JWT, or decrypting it... - Mike On 2015-12-28 14:05, Justin Richer wrote:

I’m confused about something: How is this “introspection”? Isn’t this just using a structure token (JWT)? You can use both together if you like (MITREid Connect has been doing this for years and HEART requires it), but you shouldn’t confuse a self-contained structured token (JWT) with an online token verification and information service (introspection).

— Justin

...

On Dec 28, 2015, at 3:00 PM, Mike Schwartz wrote:

UMA-tarians,

We added support in the Gluu Server for local token introspection.

A few notes are here: https://github.com/GluuFederation/oxAuth/issues/111

We decided to use the same signing algorithm as was registered for the id_token signing in OpenID Connect dynamic client registration, and re-publish this info in the UMA discovery endpoint.

We also added a discovery value "rpt_as_jwt" to specify that local token introspection is in use.

Feedback is welcome... are we missing something?

- Mike

-- ------------------------------------- Michael Schwartz Gluu Founder / CEO mike@gluu.org