Would be also interested in the official language here. Would an implementation need to introduce an optional “strict JAR validation mode” - which complies with JAR, but breaks OIDC compatibility?
——— Dominick Baier On 7. May 2020 at 15:32:33, Brock Allen ([email protected]) wrote: Perhaps quite late, but a few comments/questions related to this: 1) When decoded, all the JWT samples are missing the "typ" claim from the header, which I think should be "oauth.authz.req+jwt". 2) When validating the JAR if we are to validate the "typ" then this would be incompatible with OIDC's request object, I think? 3) When the JAR is passed by reference, then the HTTP response Content-Type of "application/oauth.authz.req+jwt" would also seem to break or be incompatible with OIDC's request object passed by reference? There might need to be clarification when mixing this w/ an OIDC OP implementation. TIA -Brock _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
