iss
Registry Context
`iss` optionally identifies the issuer of a token in an OAuth 2.0 token introspection response.
Technical Summary
RFC 7662 Section 2.2 defines `iss` as an OPTIONAL top-level introspection-response member containing a string that represents the token issuer, as defined by the JWT `iss` claim in RFC 7519.
When Used
When an authorization server returns issuer information for an introspected token.
Normative Requirements
Authorization servers
RFC 7662 - Section 2.2
Include `iss` or other additional token information in the response..
Condition: When the introspected token is inactive.
The authorization server SHOULD NOT include any additional information about an inactive token.
RFC 7662 - Section 2.2
Include an `iss` top-level response member containing a string representing the issuer of the token..
Condition: When returning a token introspection response.
iss OPTIONAL. String representing the issuer of this token, as defined in JWT [RFC7519].
Validation Guidance
Treat `iss` as an optional top-level member. If present, require a case-sensitive string containing a StringOrURI value.
Flag an `iss` member in a response whose `active` value is `false`, because additional information about an inactive token should not be included.
Security Notes
RFC 7662 - Section 2.2
Including `iss` for an inactive token can disclose authorization-server state; RFC 7662 advises omitting all additional information in such responses.
Reference
Details
- Entry Id
iss- Name
iss- Description
Issuer of the token- Change Controller
IESG- Reference
RFC7662 - Section 2.2