This is a classic case for the BCP:

Developer expects that checking the signature of a JWT with a given JWK
will also validate the x5c of the JWK. How the developer obtained the
JWK in the first place is not clear from the ticket.

I wonder how such mistakes can be prevented at lib API level. If you
know a good approach or example, please let me know.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

OAuth mailing list

Reply via email to