On Mon, Jan 4, 2016 at 2:23 PM, Mike Schwartz <mike@gluu.org> wrote:
"self-contained token validation" is ok by me...
- Mike
On 2016-01-04 14:07, Eve Maler wrote:
For a long time, longer than the Token Introspection spec existed, a
number of communities (ours included) have talked about "locally
introspecting" a token, exactly as Mike has described. But of course
the definition in the Token Introspection spec -- which we reference,
of course -- defined the term itself, and is unambiguous.
So another term would seem to be best. The ACE OAuth draft [3] seems
to talk about "validation of a self-contained token" -- not bad,
though a mouthful. Any other thoughts?
Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
On Mon, Dec 28, 2015 at 12:41 PM, Justin Richer <jricher@mit.edu>
wrote:
I would argue that the issue raised was using incorrect terminology
as well, since we have an RFC that claims the term in this space and
context:
https://tools.ietf.org/html/rfc7662 [1]https://github.com/GluuFederation/oxAuth/issues/111 [2]
Is this more limited than the dictionary definition? Yes, but this
happens with terms all the time. “Token” is also defined in a
lot of different ways but it means something very specific in this
context, and using it to mean something else (that might otherwise
be valid definition of token) is confusing in the OAuth/UMA/OIDC
context. For a concrete example, FIDO and OAuth both have
“tokens” but they mean very, very different things.
FWIW, I didn’t coin the term introspection, but a number of people
were using it to describe this process when I pulled the original
draft together. The idea was that the authorization server is being
asked to look into its own internal state to figure out what the
token is good for (introspect) and report on its findings, all via
an API. That was reasonable enough, so I ran with it and the
community accepted it.
— Justin
On Dec 28, 2015, at 3:24 PM, Mike Schwartz <mike@gluu.org> wrote:
I'm using jargon consistent with the issue that was raised a while
back.
Google says introspection means:
"the examination or observation of one's own mental and emotional
processes"
So I'm not sure the word really fits for either calling an API to
get back a JWT, or decrypting it...
- Mike
On 2015-12-28 14:05, Justin Richer wrote:
I’m confused about something: How is this “introspection”?
Isn’t this
just using a structure token (JWT)? You can use both together if you
like (MITREid Connect has been doing this for years and HEART
requires
it), but you shouldn’t confuse a self-contained structured token
(JWT)
with an online token verification and information service
(introspection).
— Justin
On Dec 28, 2015, at 3:00 PM, Mike Schwartz <mike@gluu.org> wrote:
UMA-tarians,
We added support in the Gluu Server for local token introspection.
A few notes are here:
We decided to use the same signing algorithm as was registered for
the id_token signing in OpenID Connect dynamic client registration,
and re-publish this info in the UMA discovery endpoint.
We also added a discovery value "rpt_as_jwt" to specify that local
token introspection is in use.
Feedback is welcome... are we missing something?
- Mike
--
-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
mike@gluu.org
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma [4]
Links:
------
[1] https://tools.ietf.org/html/rfc7662
[2] https://github.com/GluuFederation/oxAuth/issues/111
[3] https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/?include_text=1
[4] http://kantarainitiative.org/mailman/listinfo/wg-uma
--
-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
mike@gluu.org
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma