Add support for "JWT Introspection Response"

[leastprivilege]

once this is done

https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-10

[dgioulakis]

I was just about to create a question / feature request about this, but I'm glad to have search and found this first. The speed at which this industry shifts in what it determines to be best practice is hard to keep up with! I'm keenly interested in Duende implementing this.

My company has two independent product suites that will slowly be integrated over the next couple years. One of which is in the process of implementing Kong Api Gateway, while the other is rolling out Envoy.

Unfortunately, Envoy does not have any native plugin that would support the Split Token approach, while it appears we will be able to extend Kong to support this. Therefore, the best option I see for authorizing our SPA requests through Envoy is to issue an opaque token as a HttpOnly Secure cookie. We can use the Phantom Token approach through Envoy's ext_auth plugin - in which I can call Identity Server's introspection endpoint. However, it is ideal for us to receive back a JWT as the response.

Looking forward to this feature! Thanks for all your hard work!