From 6e396a72290b1c259c76edd99f2fd5cafb410b2c Mon Sep 17 00:00:00 2001 From: stianst Date: Wed, 17 Feb 2021 09:27:32 +0100 Subject: [PATCH] Fix some links --- authorization_services/topics/service-rpt-overview.adoc | 2 +- securing_apps/topics/oidc/oidc-generic.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/authorization_services/topics/service-rpt-overview.adoc b/authorization_services/topics/service-rpt-overview.adoc index fda067ea80..b10810f1b5 100644 --- a/authorization_services/topics/service-rpt-overview.adoc +++ b/authorization_services/topics/service-rpt-overview.adoc @@ -1,7 +1,7 @@ [[_service_rpt_overview]] = Requesting Party Token -A requesting party token (RPT) is a https://tools.ietf.org/html/rfc7519[JSON web token (JWT)] digitally signed using https://www.rfc-editor.org/rfc/rfc7515.txt[JSON web signature (JWS)]. The token is built based on the OAuth2 access token previously issued by {project_name} to a specific client acting on behalf of a user +A requesting party token (RPT) is a https://tools.ietf.org/html/rfc7519[JSON web token (JWT)] digitally signed using https://tools.ietf.org/html/rfc7515[JSON web signature (JWS)]. The token is built based on the OAuth2 access token previously issued by {project_name} to a specific client acting on behalf of a user or on its own behalf. When you decode an RPT, you see a payload similar to the following: diff --git a/securing_apps/topics/oidc/oidc-generic.adoc b/securing_apps/topics/oidc/oidc-generic.adoc index aa74974160..47861b73a0 100644 --- a/securing_apps/topics/oidc/oidc-generic.adoc +++ b/securing_apps/topics/oidc/oidc-generic.adoc @@ -98,7 +98,7 @@ For more details on how to invoke on this endpoint, see https://tools.ietf.org/h If you need to manually validate access tokens issued by {project_name} you can invoke the <<_token_introspection_endpoint,Introspection Endpoint>>. The downside to this approach is that you have to make a network invocation to the {project_name} server. This can be slow and possibly overload the -server if you have too many validation requests going on at the same time. {project_name} issued access tokens are https://tools.ietf.org/html/rfc7519[JSON Web Tokens (JWT)] digitally signed and encoded using https://www.rfc-editor.org/rfc/rfc7515.txt[JSON Web Signature (JWS)]. +server if you have too many validation requests going on at the same time. {project_name} issued access tokens are https://tools.ietf.org/html/rfc7519[JSON Web Tokens (JWT)] digitally signed and encoded using https://tools.ietf.org/html/rfc7515[JSON Web Signature (JWS)]. Because they are encoded in this way, this allows you to locally validate access tokens using the public key of the issuing realm. You can either hard code the realm's public key in your validation code, or lookup and cache the public key using the <<_certificate_endpoint, certificate endpoint>> with the Key ID (KID) embedded within the JWS. Depending what language you code in, there are a multitude of third party libraries out there that can help you with JWS validation.