Hi Brock, Starting from the easy one: 3) has been addressed. It does not break the existing OIDC implementation either as there is no requirements as to the mime-type checking there.
Now, 2) will break all OIDC implementations. It is quite late to bring this in and I and my colleagues did not find security benefit that balances such breaking change. I could add 1) as an optional claim though. Best, Nat Sakimura On Thu, May 7, 2020 at 10:32 PM Brock Allen <[email protected]> wrote: > Perhaps quite late, but a few comments/questions related to this: > > 1) When decoded, all the JWT samples are missing the "typ" claim from the > header, which I think should be "oauth.authz.req+jwt". > > 2) When validating the JAR if we are to validate the "typ" then this would > be incompatible with OIDC's request object, I think? > > 3) When the JAR is passed by reference, then the HTTP response > Content-Type of "application/oauth.authz.req+jwt" would also seem to break > or be incompatible with OIDC's request object passed by reference? > > There might need to be clarification when mixing this w/ an OIDC OP > implementation. > > TIA > > -Brock > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
