The introduction <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-1> talks about an OAuth 2.0 authorization server as the JWT issuer, however, the term authorization server doesn’t appear anywhere else in the draft. Proof-of-possession semantics for JWT certainly can be applicable when an AS is the issuer but this draft has wider applicability than that. I might suggest that the introduction drop the authorization server talk in favor of something more general. Or clarify that an AS is just one potential issuer. As it is now, the intro reads overly specific.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
