Thanks Nat. It looks like draft-ietf-oauth-jwsreq-08.txt is breaking with OpenID Connect in regard to
1. alg:none request JWTs being no longer permitted 2. HTTPS request_uri's becoming always required, though there is confusion about that (see below). I don't know if this is intentional. Quoting the original Connect spec on alg:none: http://openid.net/specs/openid-connect-core-1_0.html#RequestObject ``` The Request Object MAY be signed or unsigned (plaintext). When it is plaintext, this is indicated by use of the none algorithm [JWA] <http://openid.net/specs/openid-connect-core-1_0.html#JWA> in the JOSE Header. ``` There is also confusion about the requirement to have HTTPS, which in 5.2 is conditionally required, and in 5.2.1 always required (the 5.2.1 edit appeared in -08). https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-08#section-5.2 ``` The contents of the resource referenced by the URL MUST be a Request Object. The scheme used in the "request_uri" value MUST be "https", unless the target Request Object is signed in a way that is verifiable by the Authorization Server. ``` https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-08#section-5.2.1 ``` The URL MUST be HTTPS URL. ``` Cheers, Vladimir -- Vladimir Dzhuvinov
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
