On Fri, Nov 1, 2013 at 1:52 PM, Hannes Tschofenig <[email protected]> wrote: > > Section 3: > > You write: > " > 1. The JWT MUST contain an "iss" (issuer) claim that contains a > unique identifier for the entity that issued the JWT. Issuer > values SHOULD be compared using the Simple String Comparison > method defined in Section 6.2.1 of RFC 3986 [RFC3986], unless > otherwise specified by the application. > " > > What is not stated here is what are the two values that are compared against > each other. One value is the issuer claim from the JWT and the other value > is the, I guess, an entry from a whitelist of trusted issuers.
Yes, typically the issuer value is used to lookup policy or configuration data in order to process the transaction. But that is an implementation choice and certainly not the only way it could be done. I've always thought that talking about comparing issuer values is somewhat misleading. Can that second sentence be omitted? Or is there a better way to convey what is intended here? Which is, I think, that even though issuer may be a URI, it should simply be treated as a case sensitive string? _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
