oauth2.dev

iss

IESG

Registry Context

`iss` optionally identifies the issuer of a token in an OAuth 2.0 token introspection response.

Technical Summary

RFC 7662 Section 2.2 defines `iss` as an OPTIONAL top-level introspection-response member containing a string that represents the token issuer, as defined by the JWT `iss` claim in RFC 7519.

When Used

When an authorization server returns issuer information for an introspected token.

Normative Requirements

Authorization servers

SHOULD NOT
1
  1. RFC 7662 - Section 2.2

    Include `iss` or other additional token information in the response..

    Condition: When the introspected token is inactive.

    The authorization server SHOULD NOT include any additional information about an inactive token.

OPTIONAL
1
  1. RFC 7662 - Section 2.2

    Include an `iss` top-level response member containing a string representing the issuer of the token..

    Condition: When returning a token introspection response.

    iss OPTIONAL. String representing the issuer of this token, as defined in JWT [RFC7519].

Validation Guidance

info

Treat `iss` as an optional top-level member. If present, require a case-sensitive string containing a StringOrURI value.

warning

Flag an `iss` member in a response whose `active` value is `false`, because additional information about an inactive token should not be included.

Security Notes

RFC 7662 - Section 2.2

Including `iss` for an inactive token can disclose authorization-server state; RFC 7662 advises omitting all additional information in such responses.

Reference

Details

Entry Id
iss
Name
iss
Description
Issuer of the token
Change Controller
IESG
Reference
RFC7662 - Section 2.2