There's no generic OAuth way to do this. There is a way to do it in OpenID
Connect - see request_object_signing_alg, userinfo_signed_response_alg, and
id_token_signed_response_alg in
http://openid.net/specs/openid-connect-registration-1_0-13.html#anchor3 and
userinfo_signing_alg_values_supported, id_token_signing_alg_values_supported,
and request_object_signing_alg_values_supported in
http://openid.net/specs/openid-connect-discovery-1_0-11.html#anchor9.
-- Mike
From: William Mills [mailto:[email protected]]
Sent: Friday, December 28, 2012 6:07 PM
To: Mike Jones; [email protected]
Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release
Mike,
I've read through the JWT spec and I'm curious about something. How do I
specify a signature requirement as the server? I didn't see it but I probably
just missed it. I'm thinking that with very little work a JWT can do
everything that MAC does with greater flexibility, *BUT* the server needs to be
able to require a signed usage. Something I never liked about OAuth 1.0 is
that the server must support all valid signature types, even PLAINTEXT, so I
want to be able to avoid that.
It would require the client to be able to include client generated stuff in the
JWT.
Thanks,
-bill
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
