Thanks for posting this, Brian. To get it down on the list, I’ll repeat my
comment made in person that just as “aud” used to be single-valued and ended up
being multi-valued, I suspect some applications would require the same thing of
“dst” – at least when “aud” and “dst” are different. And even if “dst” becomes
multi-valued, it’s OK for particular applications to require that it be
single-valued in their usage.
-- Mike
From: OAuth [mailto:[email protected]] On Behalf Of Brian Campbell
Sent: Wednesday, March 25, 2015 2:08 PM
To: oauth
Subject: [OAUTH-WG] JWT Destination Claim
Here are the slides that I rushed though at the end of the Dallas meeting:
https://www.ietf.org/proceedings/92/slides/slides-92-oauth-1.pdf
And the -00 draft:
http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00
In an informal discussion earlier this week John B. suggested that some
additional thinking and/or clarification is needed with regard to what parts of
the URI to include and check. Particularly with respect to query and fragment.
And he's probably right.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
