For a long time, longer than the Token Introspection spec existed, a number of communities (ours included) have talked about "locally introspecting" a token, exactly as Mike has described. But of course the definition in the Token Introspection spec -- which we reference, of course -- defined the term itself, and is unambiguous.

So another term would seem to be best. The ACE OAuth draft seems to talk about "validation of a self-contained token" -- not bad, though a mouthful. Any other thoughts?


Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


On Mon, Dec 28, 2015 at 12:41 PM, Justin Richer <jricher@mit.edu> wrote:
I would argue that the issue raised was using incorrect terminology as well, since we have an RFC that claims the term in this space and context:

https://tools.ietf.org/html/rfc7662

Is this more limited than the dictionary definition? Yes, but this happens with terms all the time. “Token” is also defined in a lot of different ways but it means something very specific in this context, and using it to mean something else (that might otherwise be valid definition of token) is confusing in the OAuth/UMA/OIDC context. For a concrete example, FIDO and OAuth both have “tokens” but they mean very, very different things.

FWIW, I didn’t coin the term introspection, but a number of people were using it to describe this process when I pulled the original draft together. The idea was that the authorization server is being asked to look into its own internal state to figure out what the token is good for (introspect) and report on its findings, all via an API. That was reasonable enough, so I ran with it and the community accepted it. 

 — Justin

On Dec 28, 2015, at 3:24 PM, Mike Schwartz <mike@gluu.org> wrote:

I'm using jargon consistent with the issue that was raised a while back.

Google says introspection means:
"the examination or observation of one's own mental and emotional processes"

So I'm not sure the word really fits for either calling an API to get back a JWT, or decrypting it...

- Mike


On 2015-12-28 14:05, Justin Richer wrote:
I’m confused about something: How is this “introspection”? Isn’t this
just using a structure token (JWT)? You can use both together if you
like (MITREid Connect has been doing this for years and HEART requires
it), but you shouldn’t confuse a self-contained structured token (JWT)
with an online token verification and information service
(introspection).
— Justin
On Dec 28, 2015, at 3:00 PM, Mike Schwartz <mike@gluu.org> wrote:
UMA-tarians,
We added support in the Gluu Server for local token introspection.
A few notes are here:
https://github.com/GluuFederation/oxAuth/issues/111
We decided to use the same signing algorithm as was registered for the id_token signing in OpenID Connect dynamic client registration, and re-publish this info in the UMA discovery endpoint.
We also added a discovery value "rpt_as_jwt" to specify that local token introspection is in use.
Feedback is welcome... are we missing something?
- Mike

--
-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
mike@gluu.org


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma