[Openid-specs-ab] Introspection Profile for OpenID Connect
ve7jtb at ve7jtb.com
Fri Sep 13 03:42:25 UTC 2013
Connect specifically allows any OAuth token type and token verification method to be used for the RS/user_info endpoint. Typically it is controlled by the same entity that controls the AS if unstructured tokens are used. Many people are using JWT as access tokens and those don't typically require introspection.
UMA has a much more complex authorization model than OAuth so it needs a fairly complicated introduction and introspection. Connect can live with that if that is what the IdPwants to do.
There is also a introspection draft http://tools.ietf.org/html/draft-richer-oauth-introspection
Introspection of access tokens is currently out of scope for Connect.
On 2013-09-12, at 1:34 PM, mike at gluu.org wrote:
> OpenID Connect Gurus,
> I was wondering why there is no introspection endpoint defined by OpenID Connect. UMA has a profile for this. Am I missing something? How else could you get information about a bearer token?
> - Mike
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4507 bytes
Desc: not available
More information about the Openid-specs-ab