<?xml version="1.0" encoding="UTF-8"?><!-- This template is for creating an Internet Draft using xml2rfc, which is available here: http://xml.resource.org. --><!DOCTYPE rfcSYSTEM "rfc2629.dtd"[<!-- One method to get references from the online citation libraries. There has to be one entity for each item to be referenced. An alternate method (rfc include) is described in the references. --><!ENTITYRFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">nbsp " "> <!ENTITYRFC2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml">zwsp "​"> <!ENTITYRFC3552 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3552.xml">nbhy "‑"> <!ENTITYI-D.narten-iana-considerations-rfc2434bis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.narten-iana-considerations-rfc2434bis.xml">wj "⁠"> ]><?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <!-- used by XSLT processors --> <!-- For a complete list and description of processing instructions (PIs), please see http://xml.resource.org/authoring/README.html. --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-oauth-jwt-introspection-response-12" number="9701" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" category="std" consensus="true" xml:lang="en" tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" version="3"> <!--Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use. (Here they are set differently than their defaults inxml2rfcv1.32) --> <?rfc strict="yes" ?> <!-- give errors regarding ID-nits and DTD validationv2v3 conversion 3.9.1 --><!-- control<front> <!--[rfced] FYI, thetabletitle ofcontents (ToC) --> <?rfc toc="yes"?> <!-- generate a ToC --> <?rfc tocdepth="4"?> <!--thenumber of levelsdocument has been updated as follows. Abbreviations have been expanded per Section 3.6 ofsubsections in ToC. default: 3 --> <!-- control referencesRFC 7322 ("RFC Style Guide"). Please review. Original: JWT Response for OAuth Token Introspection Current: JSON Web Token (JWT) Response for OAuth Token Introspection --><?rfc symrefs="yes"?> <!--<!--[rfced] FYI, regarding the usesymbolic references tags, i.e, [RFC2119] insteadof[1] --> <?rfc sortrefs="yes" ?> <!-- sort the reference entries alphabetically --> <!-- control vertical white space<tt> within this document, it renders (usingthese PIs as follows is recommended byxml2rfc) in fixed-width font in theRFC Editor) --> <?rfc compact="yes" ?> <!-- do not start each main section on a new page --> <?rfc subcompact="no" ?> <!-- keep one blank line between list items --> <!-- end of listHTML and PDF files. However, the rendering ofpopular I-D processing instructions --> <rfc category="std" docName="draft-ietf-oauth-jwt-introspection-response-12" ipr="trust200902"> <!-- category values: std, bcp, info, exp, and historic ipr values: full3667, noModification3667, noDerivatives3667<tt> in the text file was changed in September 2021 - quotation marks are no longer added. When youcan addreview theattributes updates="NNNN" and obsoletes="NNNN" theydiff file for this document, it willautomatically be output with "(if approved)" --> <!-- ***** FRONT MATTER ***** --> <front> <!-- The abbreviated titleappear that the RPC removed quotation marks; however, actually this is due to the rendering change for <tt>. (For details, see the release notes for v3.10.0 on https://github.com/ietf-tools/xml2rfc/blob/main/CHANGELOG.md) Examples of where <tt> is used in thepageoriginal (and remains): alg value, enc value Accept HTTP header field aud claim, token_introspection claim typ JWT header- it is only necessary if the full title is longer than 39 characters--> <title abbrev="JWTResponse">JWTResponse">JSON Web Token (JWT) Response for OAuth Token Introspection</title> <seriesInfo name="RFC" value="9701"/> <author fullname="Torsten Lodderstedt" initials="T." role="editor" surname="Lodderstedt"> <organization>yes.com AG</organization> <address> <email>torsten@lodderstedt.net</email><!-- uri and facsimile elements may also be added --></address> </author> <author fullname="Vladimir Dzhuvinov" initials="V." surname="Dzhuvinov"> <organization>Connect2id Ltd.</organization> <address> <email>vladimir@connect2id.com</email><!-- uri and facsimile elements may also be added --></address> </author> <dateday="04" month="Sep" year="2021" /> <!-- Meta-data Declarations -->month="November" year="2024"/> <area>Security Area</area> <workgroup>Open Authentication Protocol</workgroup><!-- WG name at the upperleft corner of the doc, IETF is fine for individual submissions. If this element is not present, the default is "Network Working Group", which is used by the RFC Editor as a nod to the history of the IETF. --><keyword>token introspection</keyword> <keyword>JWT</keyword> <keyword>oauth2</keyword><!-- Keywords will be incorporated into HTML output files in a meta tag but they have no effect on text or nroff output. If you submit your draft<abstract> <!--[rfced] May we update this sentence as follows, to clarify theRFC Editor, the keywords will be usedphrase "additional JSON Web Token (JWT) secured response"? Original: This specification proposes an additional JSON Web Token (JWT) secured response forthe search engine.OAuth 2.0 Token Introspection. Perhaps: This specification proposes an additional response secured by JSON Web Token (JWT) for OAuth 2.0 Token Introspection. --><abstract><t>This specification proposes an additional JSON Web Token (JWT) secured response for OAuth 2.0 Token Introspection.</t> </abstract> </front> <middle> <section anchor="Introduction"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t><xreftarget="RFC7662">OAuthtarget="RFC7662" format="default">"OAuth 2.0 TokenIntrospection</xref>Introspection"</xref> specifies a method for a protected resource to query an OAuth 2.0 authorization server to determine the state of an access token and obtain data associated with the access token. This enables deployments to implement opaque access tokens in an interoperable way.</t> <t>The introspection response, as specified in <xreftarget="RFC7662">OAuthtarget="RFC7662" format="default">"OAuth 2.0 TokenIntrospection</xref>,Introspection"</xref>, is a plain JSON object. However, there are use cases where the resource server requires stronger assurance that the authorization server issued the token introspection response for an access token, including cases where the authorization server assumes liability for the content of the token introspection response. An example is a resource server using verifiedpersonpersonal data to create certificates, which in turn are used to create qualified electronic signatures.</t> <t>In such usecasescases, it may be useful or even required to return a signed <xreftarget="RFC7519">JWT</xref>target="RFC7519" format="default">JWT</xref> as the introspection response. This specification extends the token introspection endpoint with the capability to return responses as JWTs.</t> </section> <section anchor="RNC"title="Requirements Notation and Conventions">numbered="true" toc="default"> <name>Requirements Notation</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> <section anchor="as-rs-relationship"title="Resourcenumbered="true" toc="default"> <name>Resource ServerManagement">Management</name> <t>The authorization server (AS) and the resource server (RS) maintain astrongstrong, two-way trust relationship. The resource server relies on the authorization server to obtain authorization,useruser, and other data as input to its access control decisions and service delivery. The authorization server relies on the resource server to handle the provided data appropriately.</t> <t>In the context of this specification, the token introspection endpoint is used to convey such security data and potentially alsoprivacy sensitiveprivacy-sensitive data related to an access token.</t> <t>In order to process the introspection requests in a secure and privacy-preserving manner, the authorization serverMUST<bcp14>MUST</bcp14> be able to identify,authenticateauthenticate, and authorize resource servers.</t> <t>Theauthorization server MAYAS <bcp14>MAY</bcp14> additionally encrypt the token introspection response JWTs. If encryption isusedused, theauthorization serverAS is provisioned with encryption keys and algorithms for the RS.</t> <t>Theauthorization server MUSTAS <bcp14>MUST</bcp14> be able to determine whether an RS is the audience for a particular access token and what data it is entitled toreceive, otherwisereceive; otherwise, the RS is not authorized to obtain data for the access token. The AS has the discretion of how tofulfilfulfill this requirement. The AS could, for example, maintain a mapping between scope values andresource servers.</t>RSes.</t> <t>The requirements given above imply that theauthorization serverAS maintains credentials and other configuration data for each RS.</t> <t>One way is by utilizing dynamic client registration <xreftarget="RFC7591"/>target="RFC7591" format="default"/> and treating every RS as an OAuth client. In this case, theauthorization serverAS is assumed to at least maintain a "client_id" and a "token_endpoint_auth_method" with complementary authentication method metadata, such as "jwks" or "client_secret". In cases where the AS needs to acquire consent to transmit data toaan RS, the following client metadata fields are recommended: "client_name", "client_uri", "contacts", "tos_uri", and "policy_uri".</t> <t>The ASMUST<bcp14>MUST</bcp14> restrict the use of client credentials byaan RS to the calls it requires,e.g.e.g., the ASMAY<bcp14>MAY</bcp14> restrict such a client to call the token introspection endpoint only. How the AS implements this restriction is beyond the scope of this specification.</t> <t>This specification further introduces client metadata to manage the configuration options required to sign and encrypt token introspection response JWTs.</t> </section> <section anchor="jwt_request"title="Requestingnumbered="true" toc="default"> <name>Requesting a JWTResponse"> <t>A resource serverResponse</name> <t>An RS requests a JWT introspection response by sending an introspection request with an<spanx style="verb">Accept</spanx><tt>Accept</tt> HTTP header field set to "application/token-introspection+jwt".</t> <!--[rfced] Please clarify the latter part of this sentence. What is "identifying it as subject" referring to? Original: Authentication can utilize client authentication methods or a separate access token issued to the resource server and identifying it as subject. Perhaps (referring to the resource server): Authentication can utilize client authentication methods or a separate access token issued to the RS to identify the RS as the subject. Or (also referring to the resource server): Authentication can utilize client authentication methods or a separate access token that is issued to the RS and identifies the RS as the subject. --> <t>The ASMUST<bcp14>MUST</bcp14> authenticate the caller at the token introspection endpoint. Authentication can utilize client authentication methods or a separate access token issued to theresource serverRS and identifying it as subject.</t> <t>The following is a non-normative example request, with theresource serverRS authenticating with a private key JWT:</t><t> <figure> <artwork><![CDATA[POST<sourcecode name="" type=""><![CDATA[ POST /introspect HTTP/1.1 Host: as.example.com Accept: application/token-introspection+jwt Content-Type: application/x-www-form-urlencoded token=2YotnFZFEjr1zCsicMWpAA& client_assertion_type= urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer& client_assertion=PHNhbWxwOl[...omitted forbrevity...]ZT]]></artwork> </figure> </t>brevity...]ZT ]]></sourcecode> </section> <section anchor="jwt_response"title="JWT Response">numbered="true" toc="default"> <name>JWT Response</name> <t>The introspection endpoint responds with a JWT, setting the<spanx style="verb">Content-Type</spanx><tt>Content-Type</tt> HTTP header field to "application/token-introspection+jwt" and the JWT<spanx style="verb">typ</spanx><tt>typ</tt> ("type") header parameter to "token-introspection+jwt".</t> <t>The JWTMUST<bcp14>MUST</bcp14> include the following top-level claims:<list hangIndent="8" style="hanging"> <t hangText="iss">MUST</t> <dl newline="true" spacing="normal"> <dt>iss</dt> <dd><bcp14>MUST</bcp14> be set to the issuer URL of the authorizationserver.</t> <t hangText="aud">MUSTserver.</dd> <dt>aud</dt> <dd><bcp14>MUST</bcp14> identify the resource server receiving the token introspectionresponse.</t> <t hangText="iat">MUSTresponse.</dd> <dt>iat</dt> <dd><bcp14>MUST</bcp14> be set to the time when the introspection response was created by the authorizationserver.</t> <t hangText="token_introspection">Aserver</dd> <dt>token_introspection</dt> <dd> <!--[rfced] We are having some difficulty parsing this sentence, specifically "a dedicated containing JWT claim". How should it be updated? Original: The separation of the introspection response members into a dedicated containing JWT claim is intended to prevent conflict and confusion with top-level JWT claims that may bear the same name. Perhaps: The separation of the introspection response members into a dedicated, contained JWT claim is intended to prevent conflict and confusion with top-level JWT claims that may bear the same name. --> <t>A JSON object containing the members of the token introspectionresponseresponse, as specified in <xreftarget="RFC7662"/>, section 2.2.target="RFC7662" section="2.2" sectionFormat="comma" format="default"/>. The separation of the introspection response members into a dedicated containing JWT claim is intended to prevent conflict and confusion with top-level JWT claims that may bear the same name.<vspace blankLines="1" /></t> <t> If the access token is invalid, expired, revoked, or not intended for the calling resource server (audience), the authorization serverMUST<bcp14>MUST</bcp14> set the value of the<spanx style="verb">active</spanx><tt>active</tt> member in the<spanx style="verb">token_introspection</spanx><tt>token_introspection</tt> claim to<spanx style="verb">false</spanx><tt>false</tt> andMUST NOT<bcp14>MUST NOT</bcp14> include other members. Otherwise, the<spanx style="verb">active</spanx><tt>active</tt> member is set to<spanx style="verb">true</spanx>. <vspace blankLines="1" /><tt>true</tt>. </t> <t> The ASSHOULD<bcp14>SHOULD</bcp14> narrow down the<spanx style="verb">scope</spanx><tt>scope</tt> value to the scopes relevant to the particular RS.<vspace blankLines="1" /></t> <t> As specified insection 2.2 of<xreftarget="RFC7662"/>,target="RFC7662" section="2.2" sectionFormat="of" format="default"/>, implementationsMAY<bcp14>MAY</bcp14> extend the token introspection response with service-specific claims. In the context of this specification, such claims will be added as top-level members of the<spanx style="verb">token_introspection</spanx><tt>token_introspection</tt> claim.<vspace blankLines="1" /></t> <t> Token introspection response parameter names intended to be used across domainsMUST<bcp14>MUST</bcp14> be registered in the <xreftarget="IANA.OAuth.Token.Introspection">OAuthtarget="IANA.OAuth.Token.Introspection" format="default">"OAuth Token IntrospectionResponseResponse" registry</xref> defined by <xreftarget="RFC7662"/>. <vspace blankLines="1" />target="RFC7662" format="default"/>. </t> <t> When the AS acts as a provider of resource owner identity claims to the RS, the ASdeterminesdetermines, based on its RS-specificpolicypolicy, what identity claims to return in the token introspection response. The ASMUST<bcp14>MUST</bcp14> ensure the release of any privacy-sensitive data is legally based (see <xreftarget="privacy"/>). <vspace blankLines="1" />target="privacy" format="default"/>). </t> <t> Further content of the introspection response is determined by the RS-specific policy at the AS.</t></list> </t></dd> </dl> <t>The JWTMAY<bcp14>MAY</bcp14> include other claims, including those from the "JSON Web Token Claims" registry established by <xreftarget="RFC7519"/>.target="RFC7519" format="default"/>. The JWTSHOULD NOT<bcp14>SHOULD NOT</bcp14> include the<spanx style="verb">sub</spanx><tt>sub</tt> and<spanx style="verb">exp</spanx><tt>exp</tt> claims, as an additionalprevention againstmeasure to prevent misuse of the JWT as an access token (see <xreftarget="Cross-JWT_Confusion"/>).</t>target="Cross-JWT_Confusion" format="default"/>).</t> <!--[rfced] Please review whether any of the notes in this document should be in the <aside> element. It is defined as "a container for content that is semantically less important or tangential to the content that surrounds it" (https://xml2rfc.tools.ietf.org/xml2rfc-doc.html#name-aside-2). --> <t>Note: Although the JWT format is widely used as an access token format, the JWT returned in the introspection response is not an alternative representation of the introspected access token and is not intended to be used as an access token.</t> <t>This specification registers the "application/token-introspection+jwt" media type, which is used as the value of the<spanx style="verb">typ</spanx><tt>typ</tt> ("type") header parameter of the JWT to indicate that the payload is a token introspection response.</t> <t>The JWT is cryptographically secured as specified in <xreftarget="RFC7519"/>.</t>target="RFC7519" format="default"/>.</t> <t>Depending on the specific resource serverpolicypolicy, the JWT is eithersigned,signed or signed and encrypted. If the JWT is signed andencryptedencrypted, itMUST<bcp14>MUST</bcp14> be a Nested JWT, as defined in <xreftarget="RFC7519">JWT</xref>.</t>target="RFC7519" format="default">JWT</xref>.</t> <t>Note: An AS compliant with this specificationMUST<bcp14>MUST</bcp14> refuse to serve introspection requests that don't authenticate thecaller,caller and return an HTTP status code 400. This is done to ensure token data is released to legitimate recipients only and prevent downgrading to <xreftarget="RFC7662"/>target="RFC7662" format="default"/> behavior (see <xreftarget="token_data_leakage"/>).</t>target="token_data_leakage" format="default"/>).</t> <t>The following is a non-normative example response (with line breaks for display purposes only):</t><t> <figure> <artwork><![CDATA[HTTP/1.1<sourcecode name="" type=""><![CDATA[ HTTP/1.1 200 OK Content-Type: application/token-introspection+jwt eyJraWQiOiJ3RzZEIiwidHlwIjoidG9rZW4taW50cm9zcGVjdGlvbitqd3QiLCJhbGc iOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tLyIsImF1ZCI6I mh0dHBzOi8vcnMuZXhhbXBsZS5jb20vcmVzb3VyY2UiLCJpYXQiOjE1MTQ3OTc4OTIs InRva2VuX2ludHJvc3BlY3Rpb24iOnsiYWN0aXZlIjp0cnVlLCJpc3MiOiJodHRwczo vL2FzLmV4YW1wbGUuY29tLyIsImF1ZCI6Imh0dHBzOi8vcnMuZXhhbXBsZS5jb20vcm Vzb3VyY2UiLCJpYXQiOjE1MTQ3OTc4MjIsImV4cCI6MTUxNDc5Nzk0MiwiY2xpZW50X 2lkIjoicGFpQjJnb28wYSIsInNjb3BlIjoicmVhZCB3cml0ZSBkb2xwaGluIiwic3Vi IjoiWjVPM3VwUEM4OFFyQWp4MDBkaXMiLCJiaXJ0aGRhdGUiOiIxOTgyLTAyLTAxIiw iZ2l2ZW5fbmFtZSI6IkpvaG4iLCJmYW1pbHlfbmFtZSI6IkRvZSIsImp0aSI6InQxRm 9DQ2FaZDRYdjRPUkpVV1ZVZVRaZnNLaFczMENRQ3JXRERqd1h5NncifX0.przJMU5Gh mNzvwtt1Sr-xa9xTkpiAg5IshbQsRiRVP_7eGR1GHYrNwQh84kxOkHCyje2g5WSRcYo sGEVIiC-eoPJJ-qBwqwSlgx9JEeCDw2W5DjrblOI_N0Jvsq_dUeOyoWVMqlOydOBhKN Y0smBrI4NZvEExucOm9WUJXMuJtvq1gBes-0go5j4TEv9sOP9uu81gqWTr_LOo6pgT0 tFFyZfWC4kbXPXiQ2YT6mxCiQRRNM-l9cBdF6Jx6IOrsfFhBuYdYQ_mlL19HgDDOFaleyqmru6lKlASOsaE8dmLSeKcX91FbG79FKN8un24iwIDCbKT9xlUFl54xWVShNDFA]]></artwork> </figure> </t>eyqmru6lKlASOsaE8dmLSeKcX91FbG79FKN8un24iwIDCbKT9xlUFl54xWVShNDFA ]]></sourcecode> <t> The example response JWT header contains the following JSON document: </t><t> <figure> <artwork><![CDATA[{<sourcecode name="" type=""><![CDATA[ { "typ": "token-introspection+jwt", "alg": "RS256", "kid": "wG6D"}]]></artwork> </figure> </t>} ]]></sourcecode> <t> The example response JWT payload contains the following JSON document: </t><t> <figure> <artwork><![CDATA[{<sourcecode name="" type=""><![CDATA[ { "iss":"https://as.example.com/", "aud":"https://rs.example.com/resource", "iat":1514797892, "token_introspection": { "active":true, "iss":"https://as.example.com/", "aud":"https://rs.example.com/resource", "iat":1514797822, "exp":1514797942, "client_id":"paiB2goo0a", "scope":"read write dolphin", "sub":"Z5O3upPC88QrAjx00dis", "birthdate":"1982-02-01", "given_name":"John", "family_name":"Doe", "jti":"t1FoCCaZd4Xv4ORJUWVUeTZfsKhW30CQCrWDDjwXy6w" }}]]></artwork> </figure> </t>} ]]></sourcecode> </section> <section anchor="client_metadata"title="Client Metadata">numbered="true" toc="default"> <name>Client Metadata</name> <t>The authorization server determines the algorithm to secure the JWT for a particular introspection response. This decision can be based on registered metadata parameters for the resource server, supplied via dynamic client registration <xreftarget="RFC7591"/>target="RFC7591" format="default"/> with the resource server acting as a client, as specified below.</t> <t>The parameter names follow the pattern established by <xreftarget="OpenID.Registration">OpenIDtarget="OpenID.Registration" format="default">OpenID Connect Dynamic Client Registration</xref> for configuring signing and encryption algorithms for JWT responses at the UserInfo endpoint.</t> <t>The following client metadata parameters are introduced by this specification:<list hangIndent="8" style="hanging"> <t hangText="introspection_signed_response_alg">OPTIONAL.</t> <dl newline="true" spacing="normal"> <dt>introspection_signed_response_alg</dt> <dd><bcp14>OPTIONAL</bcp14>. <xreftarget="RFC7515">JWS</xref>target="RFC7515" format="default">"JSON Web Signature (JWS)"</xref> algorithm(<spanx style="verb">alg</spanx> value)(<tt>alg</tt> value), as defined in <xreftarget="RFC7518">JWA</xref>target="RFC7518" format="default">"JSON Web Algorithms (JWA)"</xref>, for signing introspection responses. If this is specified, the response will be signed using JWS and the configured algorithm. The default, if omitted, is<spanx style="verb">RS256</spanx>.</t> <t hangText="introspection_encrypted_response_alg">OPTIONAL.<tt>RS256</tt>.</dd> <dt>introspection_encrypted_response_alg</dt> <dd><bcp14>OPTIONAL</bcp14>. <xreftarget="RFC7516">JWE</xref>target="RFC7516" format="default">"JSON Web Encryption (JWE)"</xref> algorithm(<spanx style="verb">alg</spanx> value)(<tt>alg</tt> value), as defined in <xreftarget="RFC7518">JWA</xref>target="RFC7518" format="default">JWA</xref>, for content key encryption. If this is specified, the response will be encrypted using JWE and the configured content encryption algorithm(<spanx style="verb">introspection_encrypted_response_enc</spanx>).(<tt>introspection_encrypted_response_enc</tt>). The default, if omitted, is that no encryption is performed. If both signing and encryption are requested, the response will be signed then encrypted, with the result being a Nested JWT, as defined in <xreftarget="RFC7519">JWT</xref>.</t> <t hangText="introspection_encrypted_response_enc">OPTIONAL.target="RFC7519" format="default">JWT</xref>.</dd> <dt>introspection_encrypted_response_enc</dt> <dd><bcp14>OPTIONAL</bcp14>. <xreftarget="RFC7516">JWE</xref>target="RFC7516" format="default">JWE</xref> algorithm(<spanx style="verb">enc</spanx> value)(<tt>enc</tt> value), as defined in <xreftarget="RFC7518">JWA</xref>target="RFC7518" format="default">JWA</xref>, for content encryption of introspection responses. The default, if omitted, is<spanx style="verb">A128CBC-HS256</spanx>.<tt>A128CBC-HS256</tt>. Note: This parameterMUST NOT<bcp14>MUST NOT</bcp14> be specified without setting<spanx style="verb">introspection_encrypted_response_alg</spanx>.</t> </list> </t><tt>introspection_encrypted_response_alg</tt>.</dd> </dl> <t>Resource servers may register their public encryption keys using the<spanx style="verb">jwks_uri</spanx><tt>jwks_uri</tt> or<spanx style="verb">jwks</spanx><tt>jwks</tt> metadata parameters.</t> </section> <section anchor="server_metadata"title="Authorizationnumbered="true" toc="default"> <name>Authorization ServerMetadata">Metadata</name> <t>Authorization serversSHOULD<bcp14>SHOULD</bcp14> publish the supported algorithms for signing and encrypting the JWT of an introspection response by utilizing <xreftarget="RFC8414">OAuthtarget="RFC8414" format="default">"OAuth 2.0 Authorization ServerMetadata</xref>Metadata"</xref> parameters. Resource servers use this data to parametrize their client registration requests.</t> <t>The following parameters are introduced by this specification:<list hangIndent="8" style="hanging"> <t hangText="introspection_signing_alg_values_supported"> OPTIONAL.</t> <dl newline="true" spacing="normal"> <dt>introspection_signing_alg_values_supported</dt> <dd> <bcp14>OPTIONAL</bcp14>. JSON array containing a list of the <xreftarget="RFC7515">JWS</xref>target="RFC7515" format="default">JWS</xref> signing algorithms(<spanx style="verb">alg</spanx> values)(<tt>alg</tt> values), as defined in <xreftarget="RFC7518">JWA</xref>target="RFC7518" format="default">JWA</xref>, supported by the introspection endpoint to sign theresponse.</t> <t hangText="introspection_encryption_alg_values_supported"> OPTIONAL.response.</dd> <dt>introspection_encryption_alg_values_supported</dt> <dd> <bcp14>OPTIONAL</bcp14>. JSON array containing a list of the <xreftarget="RFC7516">JWE</xref>target="RFC7516" format="default">JWE</xref> encryption algorithms(<spanx style="verb">alg</spanx> values)(<tt>alg</tt> values), as defined in <xreftarget="RFC7518">JWA</xref>target="RFC7518" format="default">JWA</xref>, supported by the introspection endpoint to encrypt the content encryption key for introspection responses (content keyencryption).</t> <t hangText="introspection_encryption_enc_values_supported"> OPTIONAL.encryption).</dd> <dt>introspection_encryption_enc_values_supported</dt> <dd> <bcp14>OPTIONAL</bcp14>. JSON array containing a list of the <xreftarget="RFC7516">JWE</xref>target="RFC7516" format="default">JWE</xref> encryption algorithms(<spanx style="verb">enc</spanx> values)(<tt>enc</tt> values), as defined in <xreftarget="RFC7518">JWA</xref>target="RFC7518" format="default">JWA</xref>, supported by the introspection endpoint to encrypt the response (contentencryption).</t> </list> </t>encryption).</dd> </dl> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <section anchor="Cross-JWT_Confusion"title="Cross-JWT Confusion">numbered="true" toc="default"> <name>Cross-JWT Confusion</name> <t>The<spanx style="verb">iss</spanx><tt>iss</tt> and potentially the<spanx style="verb">aud</spanx><tt>aud</tt> claim of a token introspection JWT can resemble those of a JWT-encoded access token. An attacker could try to exploit this and pass a JWT token introspection response as an access token to the resource server. The<spanx style="verb">typ</spanx><tt>typ</tt> ("type") JWT header "token-introspection+jwt" and the encapsulation of the token introspectionmembersmembers, such as<spanx style="verb">sub</spanx><tt>sub</tt> and<spanx style="verb">scope</spanx><tt>scope</tt> in the<spanx style="verb">token_introspection</spanx> claim is<tt>token_introspection</tt> claim, are intended to prevent such substitution attacks. Resource serversMUST<bcp14>MUST</bcp14> therefore check the<spanx style="verb">typ</spanx><tt>typ</tt> JWT header value of received JWT-encoded access tokens and ensure all minimally required claims for a valid access token are present.</t><t>Resource<!--[rfced] draft-ietf-oauth-security-topics (RFC-to-be 9700) does not have a Section 3.2. How this should be updated? Please see https://www.rfc-editor.org/authors/rfc9700.html Original: Resource servers MUST additionally apply the countermeasures against replay as described in<xref target="I-D.ietf-oauth-security-topics"/>,[I-D.ietf-oauth-security-topics], section3.2.</t>3.2. --> <t>Resource servers <bcp14>MUST</bcp14> additionally apply the countermeasures against replay, as described in <xref target="RFC9700" section="3.2" sectionFormat="comma" format="default"/>.</t> <t>JWTConfusionconfusion and other attacks involving JWTs are discussed in <xreftarget="I-D.ietf-oauth-jwt-bcp"/>.</t>target="RFC8725" format="default"/>.</t> </section> <section anchor="token_data_leakage"title="Tokennumbered="true" toc="default"> <name>Token DataLeakage"> <t>TheLeakage</name> <!--[rfced] RFC 7525 has been obsoleted by RFC 9325. Also, RFC 7525 is no longer part of BCP 195. How should this sentence be updated? Original: The authorization server MUST use Transport Layer Security (TLS) 1.2 (or higher) per BCP 195 [RFC7525] in order to prevent token data leakage. Perhaps (A), if simple replacement is accurate: The authorization server MUST use Transport Layer Security (TLS) 1.2 (or higher) per BCP 195 [RFC9325] in order to prevent token data leakage. Or (B), if referencing the whole BCP (RFC 8996 + RFC 9325) is accurate: The authorization server MUST use Transport Layer Security (TLS) 1.2 (or higher) per [BCP195] in order to prevent token data leakage. --> <t>The authorization server <bcp14>MUST</bcp14> use Transport Layer Security (TLS) 1.2 (or higher), per BCP 195 <xreftarget="RFC7525"/>target="RFC7525" format="default"/>, in order to prevent token data leakage.</t><t>Section 2.1 of <xref target="RFC7662"/><t><xref target="RFC7662" section="2.1" sectionFormat="of" format="default"/> permits requests to the introspection endpoint to be authorized with an access tokenwhichthat doesn't identify the caller. To prevent introspection of tokens by parties that are not the intendedconsumerconsumer, the authorization serverMUST<bcp14>MUST</bcp14> require all requests to the token introspection endpoint to be authenticated.</t> </section> </section> <section anchor="privacy"title="Privacy Considerations">numbered="true" toc="default"> <name>Privacy Considerations</name> <t>The token introspection response can be used to transfer personal identifiable information (PII) from the AS to the RS. The ASMUST<bcp14>MUST</bcp14> conform to legal and jurisdictional constraints for the data transfer before any data is released to a particular RS. The details and determining of these constraintsvariesvary by jurisdiction andisare outside the scope of this document.</t> <t>A commonly found way to establish the legal basis for releasing PII is by explicit user consent gathered from the resource owner by the AS during the authorization flow.</t> <t>It is also possible that the legal basis is established out of band, forexampleexample, in an explicit contract or by the client gathering the resource owner's consent.</t> <t>If the AS and the RS belong to the same legal entity (1st party scenario), there is potentially no need for an explicit userconsentconsent, but the terms of service and policy of the respective service providerMUST<bcp14>MUST</bcp14> be enforced at all times.</t> <t>In any case, the ASMUST<bcp14>MUST</bcp14> ensure that the scope of the legal basis is enforced throughout the whole process. The ASMUST<bcp14>MUST</bcp14> retain the scope of the legal basis with the access token,e.g.e.g., in the scope value, itMUST<bcp14>MUST</bcp14> authenticate the RS, and the ASMUST<bcp14>MUST</bcp14> determine the dataa resource serveran RS is allowed to receive based on theresource server’sRS's identity and suitable token data,e.g.e.g., the scope value. </t> <t>Implementers should be aware that a token introspection request lets the AS know when the client (and potentially the user) is accessing the RS, which is also an indication of when the user is using the client. If this implication is not acceptable, implementersMUST<bcp14>MUST</bcp14> use other means to relay access token data, forexampleexample, by directly transferring the data needed by the RS within the access token.</t> </section> <sectionanchor="Acknowledgements" title="Acknowledgements"> <t>We would like to thank Petteri Stenius, Neil Madden, Filip Skokan, Tony Nadalin, Remco Schaar, Justin Richer, Takahiko Kawasaki, Benjamin Kaduk, Robert Wilton and Roman Danyliw for their valuable feedback.</t> </section> <!-- Possibly a 'Contributors' section ... --> <sectionanchor="IANA"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <section anchor="DynRegReg"title="OAuthnumbered="true" toc="default"> <name>OAuth Dynamic Client Registration MetadataRegistration">Registration</name> <t>This specification requests registration of theThe following client metadata definitions have been registered in the IANA "OAuth Dynamic Client Registration Metadata" registry <xreftarget="IANA.OAuth.Parameters"/>target="IANA.OAuth.Parameters" format="default"/> established by <xreftarget="RFC7591"/>:target="RFC7591" format="default"/>: </t> <!--[rfced] FYI, in Sections 10.1.1, 10.2.1, and 10.4.1, the change controller has been updated from "IESG" to "IETF" to match the actual IANA registries. This was noted as follows in the mail from IANA: "Note: in accordance with recent practice, the change controller for these registrations has been changed from the IESG to the IETF." This is in keeping with IANA's "Guidance for RFC Authors" (on https://www.iana.org/help/protocol-registration): "The IESG shouldn't be listed as a change controller unless the RFC that created the registry (e.g. port numbers, XML namespaces and schemas) requires it. The IETF should be named instead." We have also updated the change controller in Section 10.3.1 accordingly. If that is not accurate, please let us know. --> <section anchor="DynRegContents"title="Registry Contents"> <t> <list style="symbols"> <t> Clientnumbered="true" toc="default"> <name>Registry Contents</name> <dl newline="false" spacing="compact"> <dt>Client MetadataName: <spanx style="verb">introspection_signed_response_alg</spanx> </t> <t> ClientName:</dt> <dd><tt>introspection_signed_response_alg</tt></dd> <dt>Client MetadataDescription: StringDescription:</dt> <dd>String value indicating the client's desired introspection response signingalgorithm. </t> <t> Change Controller: IESG </t> <t> Specification Document(s): <xref target="client_metadata"/>algorithm</dd> <dt>Change Controller:</dt> <dd>IETF</dd> <dt>Reference:</dt> <dd><xref target="client_metadata" format="default"/> of[[ this specification ]] </t> </list> </t> <t> <list style="symbols"> <t> ClientRFC 9701</dd> </dl> <dl newline="false" spacing="compact"> <dt>Client MetadataName: <spanx style="verb">introspection_encrypted_response_alg</spanx> </t> <t> ClientName:</dt> <dd><tt>introspection_encrypted_response_alg</tt></dd> <dt>Client MetadataDescription: StringDescription:</dt> <dd>String value specifying the desired introspection response content key encryption algorithm (algvalue). </t> <t> Change Controller: IESG </t> <t> Specification Document(s): <xref target="client_metadata"/>value)</dd> <dt>Change Controller:</dt> <dd>IETF</dd> <dt>Reference:</dt> <dd><xref target="client_metadata" format="default"/> of[[ this specification ]] </t> </list> </t> <t> <list style="symbols"> <t> ClientRFC 9701</dd> </dl> <dl newline="false" spacing="compact"> <dt>Client MetadataName: <spanx style="verb">introspection_encrypted_response_enc</spanx> </t> <t> ClientName:</dt> <dd><tt>introspection_encrypted_response_enc</tt></dd> <dt>Client MetadataDescription: StringDescription:</dt> <dd>String value specifying the desired introspection response content encryption algorithm (encvalue). </t> <t> Change Controller: IESG </t> <t> Specification Document(s): <xref target="client_metadata"/>value)</dd> <dt>Change Controller:</dt> <dd>IETF</dd> <dt>Reference:</dt> <dd><xref target="client_metadata" format="default"/> of[[ this specification ]] </t> </list> </t>RFC 9701</dd> </dl> </section> </section> <section anchor="ietf-oauth-discoveryIANA"title="OAuthnumbered="true" toc="default"> <name>OAuth Authorization Server MetadataRegistration">Registration</name> <t>This specification requests registration of theThe following values have been registered in the IANA "OAuth Authorization Server Metadata" registry <xreftarget="IANA.OAuth.Parameters"/>target="IANA.OAuth.Parameters" format="default"/> established by <xreftarget="RFC8414"/>.target="RFC8414" format="default"/>. </t> <sectiontitle="Registry Contents"> <t> <list style='symbols'> <t>Metadata Name: <spanx style="verb">introspection_signing_alg_values_supported</spanx></t> <t>Metadata Description: JSONnumbered="true" toc="default"> <name>Registry Contents</name> <dl newline="false" spacing="compact"> <dt>Metadata Name:</dt> <dd><tt>introspection_signing_alg_values_supported</tt></dd> <dt>Metadata Description:</dt> <dd>JSON array containing a list of algorithms supported by the authorization server for introspection responsesigning.</t> <t>Change Controller: IESG</t> <t>Specification Document(s): <xref target="server_metadata"/>signing</dd> <dt>Change Controller:</dt> <dd>IETF</dd> <dt>Reference:</dt> <dd><xref target="server_metadata" format="default"/> of[[ this specification ]]</t> </list> </t> <t> <list style='symbols'> <t>Metadata Name: <spanx style="verb">introspection_encryption_alg_values_supported</spanx></t> <t>Metadata Description: JSONRFC 9701</dd> </dl> <dl newline="false" spacing="compact"> <dt>Metadata Name:</dt> <dd><tt>introspection_encryption_alg_values_supported</tt></dd> <dt>Metadata Description:</dt> <dd>JSON array containing a list of algorithms supported by the authorization server for introspection response content key encryption (algvalue).</t> <t>Change Controller: IESG</t> <t>Specification Document(s): <xref target="server_metadata"/>value)</dd> <dt>Change Controller:</dt> <dd>IETF</dd> <dt>Reference:</dt> <dd><xref target="server_metadata" format="default"/> of[[ this specification ]]</t> </list> </t> <t> <list style='symbols'> <t>Metadata Name: <spanx style="verb">introspection_encryption_enc_values_supported</spanx></t> <t>Metadata Description: JSONRFC 9701</dd> </dl> <dl newline="false" spacing="compact"> <dt>Metadata Name:</dt> <dd><tt>introspection_encryption_enc_values_supported</tt></dd> <dt>Metadata Description:</dt> <dd>JSON array containing a list of algorithms supported by the authorization server for introspection response content encryption (encvalue).</t> <t>Change Controller: IESG</t> <t>Specification Document(s): <xref target="server_metadata"/>value)</dd> <dt>Change Controller:</dt> <dd>IETF</dd> <dt>Reference:</dt> <dd><xref target="server_metadata" format="default"/> of[[ this specification ]]</t> </list> </t>RFC 9701</dd> </dl> </section> </section> <section anchor="ietf-media-typeIANA"title="Medianumbered="true" toc="default"> <name>Media TypeRegistration"> <t>This section registers theRegistration</name> <t>The "application/token-introspection+jwt" media type has been registered in the "Media Types" registry <xreftarget="IANA.MediaTypes"/>target="IANA.MediaTypes" format="default"/> in the manner described in <xreftarget="RFC6838"/>, whichtarget="RFC6838" format="default"/>. It can be used to indicate that the content is a token introspection response in JWT format.</t> <sectiontitle="Registry Contents"> <t> <list style='symbols'> <t>Type name: application</t> <t>Subtype name: token-introspection+jwt</t> <t>Required parameters: N/A</t> <t>Optional parameters: N/A</t> <t>Encoding considerations: binary;numbered="true" toc="default"> <name>Registry Contents</name> <dl newline="false" spacing="normal"> <dt>Type name:</dt> <dd>application</dd> <dt>Subtype name:</dt> <dd>token-introspection+jwt</dd> <dt>Required parameters:</dt> <dd>N/A</dd> <dt>Optional parameters:</dt> <dd>N/A</dd> <dt>Encoding considerations:</dt> <dd>binary. A token introspection response is a JWT; JWT values are encoded as a series of base64url-encoded values (with trailing '=' characters removed), some of which may be the empty string, separated by period ('.')characters.</t> <t>Security considerations: See Section 7characters.</dd> <dt>Security considerations:</dt> <dd>see <xref target="Security" format="default"/> ofthis specification</t> <t>Interoperability considerations: N/A</t> <t>Published specification: Section 4RFC 9701</dd> <dt>Interoperability considerations:</dt> <dd>N/A</dd> <dt>Published specification:</dt> <dd><xref target="jwt_request" format="default"/> ofthis specification</t> <t>ApplicationsRFC 9701</dd> <dt>Applications that use this mediatype: Applicationstype:</dt> <dd>applications that produce and consume OAuth Token Introspection Responses in JWTformat</t> <t>Fragmentformat</dd> <dt>Fragment identifierconsiderations: N/A</t> <t>Additional information: <list style='symbols'> <t>Magic number(s): N/A</t> <t>File extension(s): N/A</t> <t>Macintoshconsiderations:</dt> <dd>N/A</dd> </dl> <dl newline="true" spacing="normal"> <dt >Additional information:</dt> <dd> <dl newline="false" spacing="compact"> <dt>Magic number(s):</dt> <dd>N/A</dd> <dt>File extension(s):</dt> <dd>N/A</dd> <dt>Macintosh file typecode(s): N/A</t> </list> </t> <t>Personcode(s):</dt> <dd>N/A</dd> </dl> </dd> </dl> <dl newline="false" spacing="normal"> <dt>Person & email address to contact for furtherinformation: Torsten Lodderstedt, torsten@lodderstedt.net</t> <t>Intended usage: COMMON</t> <t>Restrictionsinformation:</dt> <dd><br/>Torsten Lodderstedt (torsten@lodderstedt.net)</dd> <dt>Intended usage:</dt> <dd>COMMON</dd> <dt>Restrictions onusage: none</t> <t>Author: Torsten Lodderstedt, torsten@lodderstedt.net</t> <t>Change controller: IESG</t> <t>Provisional registration? No</t> </list> </t>usage:</dt> <dd>none</dd> <dt>Author:</dt> <dd>Torsten Lodderstedt (torsten@lodderstedt.net)</dd> <dt>Change controller:</dt> <dd>IETF</dd> <dt>Provisional registration?</dt> <dd>No</dd> </dl> </section> </section> <section anchor="ietf-jwt-IANA"title="JWTnumbered="true" toc="default"> <name>JWT ClaimRegistration"> <t>This section registers theRegistration</name> <t>The "token_introspection" claim has been registered in theJSON"JSON Web Token(JWT) IANA(JWT)" registry <xreftarget="IANA.JWT"/>target="IANA.JWT" format="default"/> in the manner described in <xreftarget="RFC7519"/>.</t>target="RFC7519" format="default"/>.</t> <sectiontitle="Registry Contents"> <t> <list style='symbols'> <t>Claim name: token_introspection</t> <t>Claim description: Token introspection response</t> <t>Change Controller: IESG</t> <t>Specification Document(s): <xref target="jwt_response"/> of [[this specification]]</t> </list> </t>numbered="true" toc="default"> <name>Registry Contents</name> <dl newline="false" spacing="compact"> <dt>Claim Name:</dt> <dd>token_introspection</dd> <dt>Claim Description:</dt> <dd>Token introspection response</dd> <dt>Change Controller:</dt> <dd>IETF</dd> <dt>Reference:</dt> <dd><xref target="jwt_response" format="default"/> of RFC 9701</dd> </dl> </section> </section> </section> </middle> <back> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6838.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7519.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7525.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7591.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7662.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7518.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7515.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7516.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8414.xml"/> <!-- [I-D.ietf-oauth-jwt-bcp] Published as RFC 8725--> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8725.xml"/> <!--*****BACK MATTER *****[I-D.ietf-oauth-security-topics] companion document 9700 --><back> <references title="Normative References"> <?rfc include="reference.RFC.2119"?> <?rfc include="reference.RFC.6838"?> <?rfc include="reference.RFC.7519"?> <?rfc include="reference.RFC.7525"?> <?rfc include="reference.RFC.7591"?> <?rfc include="reference.RFC.7662"?> <?rfc include="reference.RFC.7518"?> <?rfc include="reference.RFC.7515"?> <?rfc include="reference.RFC.7516"?> <?rfc include="reference.RFC.8174"?> <?rfc include="reference.RFC.8414"?> <?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.draft-ietf-oauth-jwt-bcp-06.xml'?> <?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.draft-ietf-oauth-security-topics-13.xml'?><reference anchor="RFC9700" target="https://www.rfc-editor.org/info/rfc9700"> <front> <title>OAuth 2.0 Security Best Current Practice</title> <author initials='T' surname='Lodderstedt' fullname='Torsten Lodderstedt'> <organization>yes.com</organization> </author> <author initials='J' surname='Bradley' fullname='John Bradley'> <organization>Yubico</organization> </author> <author initials='A' surname='Labunets' fullname='Andrey Labunets'> <organization>Independent Researcher</organization> </author> <author initials='D' surname='Fett' fullname='Daniel Fett'> <organization>yes.com</organization> </author> <date month='November' year='2024'/> </front> <seriesInfo name="BCP" value="240"/> <seriesInfo name="RFC" value="9700"/> <seriesInfo name="DOI" value="10.17487/RFC9700"/> </reference> <reference anchor="OpenID.Registration" target="https://openid.net/specs/openid-connect-registration-1_0.html"> <front> <title>OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1</title> <author fullname="Nat Sakimura"> <organization>NRI</organization> </author> <author fullname="John Bradley"> <organization>Ping Identity</organization> </author> <author fullname="Mike Jones"> <organization>Microsoft</organization> </author> <dateday="8" month="Nov"month="November" year="2014"/> </front> </reference> <reference anchor="IANA.MediaTypes" target="http://www.iana.org/assignments/media-types"> <front> <title>Media Types</title><author fullname="IANA"> <organization abbrev="ISO">IANA</organization><author> <organization>IANA</organization> </author> <date/> </front> </reference> <reference anchor="IANA.JWT"target="https://www.iana.org/assignments/jwt/jwt.xhtml#claims">target="https://www.iana.org/assignments/jwt"> <front> <title>JSON Web Token (JWT)claims registry</title> <author fullname="IANA"> <organization abbrev="ISO">IANA</organization>Claims</title> <author> <organization>IANA</organization> </author> <date/> </front> </reference> <reference anchor="IANA.OAuth.Token.Introspection"target="https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response">target="https://www.iana.org/assignments/oauth-parameters"> <front> <title>OAuth Token IntrospectionResponse registry</title>Response</title> <author> <organization>IANA</organization> </author> <date/> </front> </reference> </references><references title="Informative References"><references> <name>Informative References</name> <reference anchor="IANA.OAuth.Parameters" target="http://www.iana.org/assignments/oauth-parameters"> <front> <title>OAuth Parameters</title> <author> <organization>IANA</organization> </author> <date/> </front> </reference> </references> </references> <sectionanchor="History" title="Document History"> <t>[[ To be removed fromanchor="Acknowledgements" numbered="false" toc="default"> <name>Acknowledgements</name> <t>We would like to thank <contact fullname="Petteri Stenius"/>, <contact fullname="Neil Madden"/>, <contact fullname="Filip Skokan"/>, <contact fullname="Tony Nadalin"/>, <contact fullname="Remco Schaar"/>, <contact fullname="Justin Richer"/>, <contact fullname="Takahiko Kawasaki"/>, <contact fullname="Benjamin Kaduk"/>, <contact fullname=" Robert Wilton"/>, and <contact fullname="Roman Danyliw"/> for their valuable feedback.</t> </section> <!-- [rfced] For sourcecode elements, please consider whether thefinal specification ]]</t> <t>-12<list style="symbols"> <t>made registration"type" attribute should be set and/or has been set correctly. The current list ofresponse parameters intendedpreferred values forcross domain use a MUST ( in RFC 7662)</t> </list> </t> <t>-11<list style="symbols"> <t>consistent normative language that"type" is available at <https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>. If theAS must authenticate all callerscurrent list does not contain an applicable type, feel free tothe token introspection endpoint when complying with this specification</t> <t>removes textsuggest additions for consideration. Note thatclaims from the JSON Web Token Claims registry may be included in the token_introspection claim</t> <t>updates the privacy considerations section</t> <t>fixes the example BASE64URL encoded JWT payload</t> </list> </t> <t>-10<list style="symbols"> <t>added requirement to authenticate RS if privacy sensitive datait isreleased</t> <t>reworked text on claims from different registries</t> <t>added forward reference to privacy considerations to section 5</t> <t>added text in privacy considerations regarding client/user tracking</t> </list> </t> <t>-09<list style="symbols"> <t>changes the Accept and Content-Type HTTP headers from "application/json"also acceptable to"application/token-introspection+jwt" so they matchleave theregistered media type</t> <t>moves the token introspection response members into a JSON object claim named "token_introspection" to provide isolation from"type" attribute not set. --> <!-- [rfced] Please review thetop-level JWT-specific claims</t> <t>"iss", "aud" and "iat" MUST be present as top-level JWT claims</t> <t>the "sub" and "exp" claims SHOULD NOT be used as top-level JWT claims as additional prevention against JWT access token substitution attacks</t> </list> </t> <t>-08<list style="symbols"> <t>made difference between introspected access token and introspection response clearer</t> <t>defined semantics"Inclusive Language" portion ofJWT claims overlapping between introspected access token and introspection response as JWT</t> <t>added section about RS management</t> <t>added text about user claims including a privacy considerations section</t> <t>removed registration of OpenID Connect claims to "Token Introspection Response" registry and refer to "JWT Claims" registry instead</t> <t>added registration of "application/token-introspection+jwt" media type as type identifier of token introspection responses in JWT format</t> <t>more changed to incorporate IESG review feedback</t> </list> </t> <t>-07<list style="symbols"> <t>fixed wrong description of "locale"</t> <t>added references for ISO and ITU specifications</t> </list> </t> <t>-06<list style="symbols"> <t>replaced reference to RFC 7159 with reference to RFC 8259</t> </list> </t> <t>-05<list style="symbols"> <t>improved wording for TLS requirement</t> <t>added RFC 2119 boilerplate</t> <t>fixedthe online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> andupdated some references</t> </list> </t> <t>-04<list style="symbols"> <t>reworked definition of parameters in section 4</t> <t>added text on data minimization to security considerations section</t> <t>added statement regarding TLS to security considerations section</t> </list> </t> <t>-03<list style="symbols"> <t>added registration for OpenID Connect Standard Claims to OAuth Token Introspection Response registry</t> </list> </t> <t>-02<list style="symbols"> <t>updated references</t> </list> </t> <t>-01<list style="symbols"> <t>adapted wording to preclude any accept header except "application/jwt"let us know ifencrypted responsesany changes arerequired</t> <t>use registered alg value RS256 for default signing algorithm</t> <t>added text on claims in the token introspection response</t> </list> </t> <t>-00<list style="symbols"> <t>initial versionneeded. Updates ofthe WG draft</t> <t>defined default signing algorithm</t> <t>changed behaviorthis nature typically result incase resource servermore precise language, which isset uphelpful forencryption</t> <t>Added text on token data leakage prevention to the security considerations</t> <t>moved Security Considerations section forward</t> </list> </t> <t>WG draft</t> <t>-01<list style="symbols"> <t>fixed typos in client meta data field names</t> <t>added OAuth Server Metadata parameters to publish algorithms supported for signing and encrypting the introspection response</t> <t>added registration of new parameters for OAuth Server Metadata and Client Registration</t> <t>added explicit request for JWT introspection response</t> <t>made iss and aud claims mandatoryreaders. Note that our script did not flag any words inintrospection response</t> <t>Stylistic and clarifying edits, updates references</t> </list></t> <t>-00<list style="symbols"> <t>initial version</t> </list></t> </section>particular, but this should still be reviewed as a best practice. --> </back> </rfc>