Details
-
Feature Request
-
Resolution: Done
-
Major
-
None
-
1.0.2.Final
-
None
Description
Currently the OAuth2 Security Realm is based on the a Token Introspection Endpoint at the AS to validate the token and create identities from it, which may be called remote validation.
However, we may want to perform a local validation of the token if the token is using JWT, which is a standard format. In this case, we don't need to call the server at all and we just validate the token locally based on the signature (JWS), expiration, audience and any other condition recommended by the specs.
Attachments
Issue Links
- is incorporated by
-
ELY-523 Token-based Security Realm
- Resolved