I'm using jargon consistent with the issue that was raised a while back. Google says introspection means: "the examination or observation of one's own mental and emotional processes" So I'm not sure the word really fits for either calling an API to get back a JWT, or decrypting it... - Mike On 2015-12-28 14:05, Justin Richer wrote:
I’m confused about something: How is this “introspection”? Isn’t this just using a structure token (JWT)? You can use both together if you like (MITREid Connect has been doing this for years and HEART requires it), but you shouldn’t confuse a self-contained structured token (JWT) with an online token verification and information service (introspection).
— Justin
On Dec 28, 2015, at 3:00 PM, Mike Schwartz <mike@gluu.org> wrote:
UMA-tarians,
We added support in the Gluu Server for local token introspection.
A few notes are here: https://github.com/GluuFederation/oxAuth/issues/111
We decided to use the same signing algorithm as was registered for the id_token signing in OpenID Connect dynamic client registration, and re-publish this info in the UMA discovery endpoint.
We also added a discovery value "rpt_as_jwt" to specify that local token introspection is in use.
Feedback is welcome... are we missing something?
- Mike
-- ------------------------------------- Michael Schwartz Gluu Founder / CEO mike@gluu.org