Include Additional Optional Fields From RFC7662 in Introspection Response
By: Ryan D. Smith user 08 Mar 2017 at 11:45 a.m. CST
Your current implementation of the introspection_endpoint for OpenID Connect follows the RFC7662 specification by including the required field “active”, as well as the optional fields “exp”, and “iat”. We request you include the additional optional fields “scope”, “client_id”, “username”, “sub”, “aud”, and “iss”. This will allow Relying Parties to better validate access tokens and mitigate the “Access Token Redirect”, and other confused deputy type attacks, by exposing the requisite data on a single endpoint.
Answers
By Michael Schwartz Account Admin 08 Mar 2017 at 7:31 p.m. CST
agreed, in 3.1 we are going to improve introspection.
By William Lowe user 09 Mar 2017 at 8:29 a.m. CST
Yuriy, can you make a Github issue for this if there is not one already?
Thanks!
By Yuriy Zabrovarnyy staff 09 Mar 2017 at 9:36 a.m. CST
Issue created and scheduled for 3.1 https://github.com/GluuFederation/oxAuth/issues/489
By William Lowe user 09 Mar 2017 at 9:44 a.m. CST
Thanks, Yuriy! Closing this ticket out. Ryan, feel free to follow progress on the GitHub issue.
Thanks,
Will
By Ryan D. Smith user 09 Mar 2017 at 9:45 a.m. CST
Thank you!
Post an answer
Warning
I have detected that you have been inactive for 10 minutes.
I got sleepy so I've taken a nap!
