You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
YS: Introspection: I'm wondering about the key element in the response. How does the AS know that the token is bound, and how does it know what key the Client should be using? In fact does it (and should it) even know who the Client is? Also, if I understand the situation correctly, the RS is supposed to send a not-fully-trusted access token to the AS first, and only then validate that it's bound to the correct key. This can easily go wrong.
JR: The AS is the party that binds the token to a key. The AS would almost certainly know who which client it sent the token to — that’s a core element of the token model. This was added to the draft here: https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/57/files but it seems like the editors’ copy did not update automatically.
Yes, there are several mistakes an introspecting RS could make, but that’s for discussion in the security considerations. Additional text and thoughts on those would be most welcome!
The text was updated successfully, but these errors were encountered:
YS: Introspection: I'm wondering about the key element in the response. How does the AS know that the token is bound, and how does it know what key the Client should be using? In fact does it (and should it) even know who the Client is? Also, if I understand the situation correctly, the RS is supposed to send a not-fully-trusted access token to the AS first, and only then validate that it's bound to the correct key. This can easily go wrong.
JR: The AS is the party that binds the token to a key. The AS would almost certainly know who which client it sent the token to — that’s a core element of the token model. This was added to the draft here: https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/57/files but it seems like the editors’ copy did not update automatically.
Yes, there are several mistakes an introspecting RS could make, but that’s for discussion in the security considerations. Additional text and thoughts on those would be most welcome!
The text was updated successfully, but these errors were encountered: