Merge pull request #5717 from lashinijay/add-warning

Add warning note for introspection endpoint when include_validation_context_as_jwt_in_reponse is enabled

Author: lashinijay

en/identity-server/5.10.0/docs/learn/jwt-token-generation.md

@@ -9,6 +9,11 @@ with the validation response.
 
 Add and configure the following properties as shown below in the `deployment.toml` file found in the `<IS_HOME>/repository/conf` folder.  
 
+!!! warning "Introspection can reveal user information"
+    Enabling the configuration `include_validation_context_as_jwt_in_reponse` allows the introspection endpoint to return user claims in the `token_string` (JWT).
+    API gateways and resource servers that introspect tokens may therefore receive user information if they send the introspect request with `required_claims`.
+    Enable this only if required, and ensure that access to the introspection endpoint is strictly controlled.
+
 ```toml
 [oauth.token.validation]
 include_validation_context_as_jwt_in_reponse = "true"

en/identity-server/5.10.0/docs/learn/verifying-openid-connect-id-token-signatures.md

@@ -76,6 +76,11 @@ public class ValidateRSASignature {
 
 Configuration to switch between signed and unsigned ID tokens. With default configurations, the ID token is always signed. If you want to switch off ID token signing, add the following configuration changes in the `<IS_HOME>/repository/conf/deployment.toml` file.
 
+!!! warning "Introspection can reveal user information"
+    Enabling the configuration `include_validation_context_as_jwt_in_reponse` allows the introspection endpoint to return user claims in the `token_string` (JWT).
+    API gateways and resource servers that introspect tokens may therefore receive user information if they send the introspect request with `required_claims`.
+    Enable this only if required, and ensure that access to the introspection endpoint is strictly controlled.
+
 ```xml
 [oauth.token.validation]
 include_validation_context_as_jwt_in_reponse= true

en/identity-server/5.11.0/docs/learn/jwt-token-generation.md

@@ -9,6 +9,11 @@ with the validation response.
 
 Add and configure the following properties as shown below in the `deployment.toml` file found in the `<IS_HOME>/repository/conf` folder.  
 
+!!! warning "Introspection can reveal user information"
+    Enabling the configuration `include_validation_context_as_jwt_in_reponse` allows the introspection endpoint to return user claims in the `token_string` (JWT).
+    API gateways and resource servers that introspect tokens may therefore receive user information if they send the introspect request with `required_claims`.
+    Enable this only if required, and ensure that access to the introspection endpoint is strictly controlled.
+
 ```toml
 [oauth.token.validation]
 include_validation_context_as_jwt_in_reponse = "true"

en/identity-server/5.11.0/docs/learn/verifying-openid-connect-id-token-signatures.md

@@ -76,6 +76,11 @@ public class ValidateRSASignature {
 
 Configuration to switch between signed and unsigned ID tokens. With default configurations, the ID token is always signed. If you want to switch off ID token signing, add the following configuration changes in the `<IS_HOME>/repository/conf/deployment.toml` file.
 
+!!! warning "Introspection can reveal user information"
+    Enabling the configuration `include_validation_context_as_jwt_in_reponse` allows the introspection endpoint to return user claims in the `token_string` (JWT).
+    API gateways and resource servers that introspect tokens may therefore receive user information if they send the introspect request with `required_claims`.
+    Enable this only if required, and ensure that access to the introspection endpoint is strictly controlled.
+
 ```xml
 [oauth.token.validation]
 include_validation_context_as_jwt_in_reponse= true

en/identity-server/5.9.0/docs/learn/jwt-token-generation.md

@@ -9,6 +9,11 @@ with the validation response.
 
 Add and configure the following properties as shown below in the `deployment.toml` file found in the `<IS_HOME>/repository/conf` folder.  
 
+!!! warning "Introspection can reveal user information"
+    Enabling the configuration `include_validation_context_as_jwt_in_reponse` allows the introspection endpoint to return user claims in the `token_string` (JWT).
+    API gateways and resource servers that introspect tokens may therefore receive user information if they send the introspect request with `required_claims`.
+    Enable this only if required, and ensure that access to the introspection endpoint is strictly controlled.
+
 ```toml
 [oauth.token.validation]
 include_validation_context_as_jwt_in_reponse = "true"

en/identity-server/5.9.0/docs/learn/verifying-openid-connect-id-token-signatures.md

@@ -76,6 +76,11 @@ public class ValidateRSASignature {
 
 Configuration to switch between signed and unsigned ID tokens. With default configurations, the ID token is always signed. If you want to switch off ID token signing, add the following configuration changes in the `<IS_HOME>/repository/conf/deployment.toml` file.
 
+!!! warning "Introspection can reveal user information"
+    Enabling the configuration `include_validation_context_as_jwt_in_reponse` allows the introspection endpoint to return user claims in the `token_string` (JWT).
+    API gateways and resource servers that introspect tokens may therefore receive user information if they send the introspect request with `required_claims`.
+    Enable this only if required, and ensure that access to the introspection endpoint is strictly controlled.
+
 ```xml
 [oauth.token.validation]
 include_validation_context_as_jwt_in_reponse= true

en/identity-server/6.0.0/docs/guides/access-delegation/get-user-claims-as-a-jwt.md

@@ -36,6 +36,11 @@ You can configure this for all tenants by configuring the `deployment.toml` file
 
 1. Add and configure the following properties as shown below in the `deployment.toml` file found in the `<IS_HOME>/repository/conf` folder.
 
+    !!! warning "Introspection can reveal user information"
+        Enabling the configuration `include_validation_context_as_jwt_in_reponse` allows the introspection endpoint to return user claims in the `token_string` (JWT).
+        API gateways and resource servers that introspect tokens may therefore receive user information if they send the introspect request with `required_claims`.
+        Enable this only if required, and ensure that access to the introspection endpoint is strictly controlled.
+
     ```toml
     [oauth.token.validation]
     include_validation_context_as_jwt_in_reponse = "true"

en/identity-server/6.1.0/docs/guides/access-delegation/get-user-claims-as-a-jwt.md

@@ -36,6 +36,11 @@ You can configure this for all tenants by configuring the `deployment.toml` file
 
 1. Add and configure the following properties as shown below in the `deployment.toml` file found in the `<IS_HOME>/repository/conf` folder.
 
+    !!! warning "Introspection can reveal user information"
+        Enabling the configuration `include_validation_context_as_jwt_in_reponse` allows the introspection endpoint to return user claims in the `token_string` (JWT).
+        API gateways and resource servers that introspect tokens may therefore receive user information if they send the introspect request with `required_claims`.
+        Enable this only if required, and ensure that access to the introspection endpoint is strictly controlled.
+
     ```toml
     [oauth.token.validation]
     include_validation_context_as_jwt_in_reponse = "true"