Experimental support for draft-ietf-oauth-jwt-introspection-response

[ArnoSen]

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

I have a use case for developing something similar to what is described here: https://nordicapis.com/how-to-control-user-identity-within-microservices/ .

The information returned by the token introspection endpoint (RFC 7662) is unsigned and can not be forwarded without introducing security related risks.

Is there any plan/outlook to support this (almost) approved RFC: https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-05 (latest version)

A clear and concise description of what you want to happen.

Would you consider implementing this feature although it has not been fully approved? Alternatively, until is not approved. could this be converted into a feature that will only be active when it is enabled in the config?

A clear and concise description of any alternative solutions or features you've considered.

It is a big security risk to implement this in another service as this would require this server to have the private key of the AS.

Add any other context or screenshots about the feature request here.

[ArnoSen]

Hi, there has not been a reply to this request yet. Do have any questions about this request?

[aeneasr]

Sorry for the late reply, I thought I replied but maybe forgot to hit send.

There is no plan to implement said feature. The approach outlined by nordicapis is already possible today by using Oathkeeper.

I do not believe that the given draft is very useful except for maybe some edge cases, which have yet to come up.

[aeneasr]

Closing as no further questions came up and I think the issue was answered sufficiently.