I’m confused about something: How is this “introspection”? Isn’t this just using a structure token (JWT)? You can use both together if you like (MITREid Connect has been doing this for years and HEART requires it), but you shouldn’t confuse a self-contained structured token (JWT) with an online token verification and information service (introspection). — Justin
On Dec 28, 2015, at 3:00 PM, Mike Schwartz <mike@gluu.org> wrote:
UMA-tarians,
We added support in the Gluu Server for local token introspection.
A few notes are here: https://github.com/GluuFederation/oxAuth/issues/111
We decided to use the same signing algorithm as was registered for the id_token signing in OpenID Connect dynamic client registration, and re-publish this info in the UMA discovery endpoint.
We also added a discovery value "rpt_as_jwt" to specify that local token introspection is in use.
Feedback is welcome... are we missing something?
- Mike