On Sat, Aug 15, 2020 at 3:08 AM Vladimir Dzhuvinov <vladi...@connect2id.com> wrote:
> Regarding the "sub != client_id" check -- could a simple rejection of all > JWTs with "sub" present suffice? > Prohibiting the use of "sub" in request object JWTs would suffice, yes. I'd suggested the more narrow/specific prohibition with the aim of a smaller scoped change. But perhaps it'd be simpler to just say don't use "sub"? I can't think of any non-erroneous reason sub would be in a request object. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth