In the WG meeting yesterday I mentioned that I thought there might have had been some action already taken with respect to "JWT Secured Authorization Request (JAR)" and the potential name conflicts between authorization parameters and JWT claims.
I tracked down this ticket in the OpenID Connect WG https://bitbucket.org/openid/connect/issues/1019/core-iana-consideration, which touches on the issue but it doesn't look like any action has actually been taken. I do think that what is mentioned in the ticket (effectively registering some core "meta" JWT claims as authorization request parameters) is pragmatic and sufficient. As one data point, as far as I know, "aud" is the only name where we've actually encountered this particular name collision problem. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
