UMA-tarians, One of Gluu's customers has proposed using a JWT as the RPT token signed by the AS to avoid the call to the introspection API (for better performance). It didn't seem like a horrible idea, or anything that would break the security. Any thoughts? Am I wrong--is there some inherent security advantage to calling the introspection API? - Mike ------------------------------------- Michael Schwartz Gluu Founder / CEO
I think I proposed that as a posable optimization a long time ago. I think at the time JWT was a ways from being finished and people didn’t want to take a dependency on it. The flow was left so it could be a future option. I don’t think that there is a security issue, but it is probably two or more years since I thought about it. Perhaps George or someone else remembers more about the discussion at the time. John B.
Indeed, John remembers correctly. We only defined a remote introspection flow early on so that the end-to-end UMA flow would be complete in the face of other pieces not being finished yet. There’s even an open issue on this: https://github.com/KantaraInitiative/wg-uma/issues/51 We’ve just been waiting for someone to want it badly enough to write a profile for us to consider. A locally inspectable token would be attractive for some IoT use cases (though maybe a JWT wouldn’t be the best format for those — there are other candidates). There are the usual tradeoffs: entitlement freshness vs. ability for the RS to be disconnected at run time (with attendant performance benefits throughout the ecosystem). If you do this and want us to consider standardizing it, by all means submit it! Eve
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com
participants (3)
-
Eve Maler -
John Bradley -
Mike Schwartz