<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">On the "structured token"
side of things I remember having a discussion about this at IIW (a
few back) and I thought someone and written something up. It was
needed in a number of cases that were using the token
introspection endpoint as a way to identifier the authorization
server to send the token to for introspection. I can't find my
notes on the conversation but maybe someone else remembers?<br>
<br>
I think conceptually it was as simple as a non-signed JWT
containing iss and token fields. Obviously, the rest of JOSE could
be applied for signed or encrypted tokens.<br>
<br>
Thanks,<br>
George<br>
<br>
</font>
<div class="moz-cite-prefix">On 3/12/14 9:02 PM, n-sakimura wrote:<br>
</div>
<blockquote cite="mid:532103A2.1060208@nri.co.jp" type="cite">Let's
just write up requirements on the WG wiki (@bitbucket).
<br>
Once we agree on the requirements, it should be straight forward
to turn it into a spec.
<br>
<br>
On the side note, perhaps it is actually for OAuth WG, but it
would be nice to spec out the structured (access) token. it could
be pseudo opaque as well as long as you can find the authorization
server from the token but we at least need to be able to find out
the iss.
<br>
<br>
Nat
<br>
<br>
(2014/03/13 3:58), John Bradley wrote:
<br>
<blockquote type="cite">We have discussed creating a backchannel
push method for the IdP to notify the RP.
<br>
<br>
So far noting is written up. I have a bad feeling that it might
be me that needs to create the first draft.
<br>
<br>
John B.
<br>
<br>
On Mar 12, 2014, at 3:54 PM, Pedro Felix
<a class="moz-txt-link-rfc2396E" href="mailto:pmhsfelix@gmail.com"><pmhsfelix@gmail.com></a> wrote:
<br>
<br>
<blockquote type="cite">Hi,
<br>
<br>
I've a scenario where a OIDC OP is acting as a bridge between
upstream IdPs using non-OIDC protocols (e.g Shibboleth) and
downstream RPs using OIDC.
<br>
In this scenario I have the following requirements
<br>
1) The upstream IdP notifies the OP of a session
termination via back-channel
<br>
2) The OP propagate this cleanup notification to the
downstream RPs, also via back-channel (a back-channel to
front-channel is not possible)
<br>
<br>
Unfortunately, the OIDC session management spec does not
provide any way to perform this back-channel cleanup, however
I remember reading some meeting notes about this possibility.
<br>
<br>
Is there anything that can be shared? I would like to align
our solution with what is being developed by this working
group.
<br>
<br>
Thanks
<br>
Pedro
<br>
_______________________________________________
<br>
Openid-specs-ab mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
<br>
</blockquote>
<br>
<br>
<br>
_______________________________________________
<br>
Openid-specs-ab mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me"><img src="cid:part1.04040107.06070101@aol.com"
alt="George Fletcher" width="359" height="113"></a></div>
</body>
</html>