FWIW, I did have that as an open issue in the draft: http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00#appendix-A
Though the way I worded it probably shows my bias. On Wed, Mar 25, 2015 at 2:16 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > Thanks for posting this, Brian. To get it down on the list, I’ll repeat > my comment made in person that just as “aud” used to be single-valued and > ended up being multi-valued, I suspect some applications would require the > same thing of “dst” – at least when “aud” and “dst” are different. And > even if “dst” becomes multi-valued, it’s OK for particular applications to > require that it be single-valued in their usage. > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Brian > Campbell > *Sent:* Wednesday, March 25, 2015 2:08 PM > *To:* oauth > *Subject:* [OAUTH-WG] JWT Destination Claim > > > > Here are the slides that I rushed though at the end of the Dallas meeting: > > https://www.ietf.org/proceedings/92/slides/slides-92-oauth-1.pdf > > > > And the -00 draft: > http://tools.ietf.org/html/draft-campbell-oauth-dst4jwt-00 > > In an informal discussion earlier this week John B. suggested that some > additional thinking and/or clarification is needed with regard to what > parts of the URI to include and check. Particularly with respect to query > and fragment. And he's probably right. >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth