On 02/04/2019 17:35, Brian Campbell wrote:
Except that the jwk header is more appropriate in the given context https://tools.ietf.org/html/rfc7515#section-4.1.3 - it is the public key that corresponds to the key used to digitally sign the JWS. Which is what it is.
A quick nit:
in figure 3 you seem to be using the "jwk" claim to include the
pop-key in the token. Any reason for not using the "cnf" claim from
RFC 7800?
/Ludwig
My bad, figure 3 is not a token (although it looks like one) it's the token request (encapsulated in a JWS).
/Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
