|
> Token introspection is an optional feature primarily intended for clients No. The abstract of RFC 7662 (OAuth Introspection) starts: This specification defines a method for a
protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token Introspection is primarily for resource servers (RSs),
not clients. Denis, you are putting a lot of effort into improving privacy handling in OAuth. But by repeatedly using the wrong terms and attributing actions to the wrong entities your suggested text is not usable. > If no Token introspection endpoint is published by an AS,
Wow. That is a huge leap of faith. Any extra interactions between an RS & AS are somehow prevented (“cannot happen”) because AS metadata shown to another party (a client) is missing a URL? The whole point of RFC 7662 (as discussed in its introduction) is that various “proprietary inter-service communication mechanisms (such as shared databases and protected enterprise service buses)”
have been developed to convey token info between AS & RS. So a standard could be helpful option for AS/RSs considering proprietary options. None of those proprietary mechanisms are mentioned in OAuth metadata published to clients. -- James Manger From: OAuth <oauth-bounces@xxxxxxxx>
On Behalf Of Denis
Hi Ben, This new thread, i.e."Towards an RFC Errata to RFC 7662 ?" is used to discuss one of the topics raised in:
Only the text relevant to this topic has been left. The text that has been discussed and polished would perfectly fit into the Privacy Consideration section from RFC 7662. Here it is again:
Privacy considerations sections do not change the protocol but only provide some warnings. Warning the implementers is fine,
Thanks to your observations, I noticed that the sentence "the call described in OAuth Introspection [RFC 7662] should be avoided"
Denis |
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
