Include Additional Optional Fields From RFC7662 in Introspection Response

By: Ryan D. Smith user 08 Mar 2017 at 11:45 a.m. CST

5 Responses
Ryan D. Smith gravatar
Your current implementation of the introspection_endpoint for OpenID Connect follows the [RFC7662](https://www.rfc-editor.org/rfc/rfc7662.txt) specification by including the required field “active”, as well as the optional fields “exp”, and “iat”. We request you include the additional optional fields “scope”, “client_id”, “username”, “sub”, “aud”, and “iss”. This will allow Relying Parties to better validate access tokens and mitigate the “[Access Token Redirect](http://openid.net/specs/openid-connect-core-1_0.html#AccessTokenRedirect)”, and other [confused deputy](https://en.wikipedia.org/wiki/Confused_deputy_problem) type attacks, by exposing the requisite data on a single endpoint.
CentOS72
closed

Answers

By Michael Schwartz Account Admin 08 Mar 2017 at 7:31 p.m. CST

Copy
Michael Schwartz gravatar
agreed, in 3.1 we are going to improve introspection.

By William Lowe user 09 Mar 2017 at 8:29 a.m. CST

Copy
William Lowe gravatar
Yuriy, can you make a Github issue for this if there is not one already? Thanks!

By Yuriy Zabrovarnyy staff 09 Mar 2017 at 9:36 a.m. CST

Copy
Yuriy Zabrovarnyy gravatar
Issue created and scheduled for 3.1 https://github.com/GluuFederation/oxAuth/issues/489

By William Lowe user 09 Mar 2017 at 9:44 a.m. CST

Copy
William Lowe gravatar
Thanks, Yuriy! Closing this ticket out. Ryan, feel free to follow progress on the GitHub issue. Thanks, Will

By Ryan D. Smith user 09 Mar 2017 at 9:45 a.m. CST

Copy
Ryan D. Smith gravatar
Thank you!

Post an answer