I create a new thread to discuss the end of my email from yesterday which has been deleted from the thread called " BCP: Client collaborative attacks":
*Comment on section 4: "Validating JWT Access Tokens" * The JWT profile for OAuth 2.0 access tokens [draft-ietf-oauth-access-token-jwt] mandates to include a "sub" claim into an access token. However, this section does not mandate the RS to verify that claims allowing for the RS to uniquely identify the holder of the access token are indeed be present inside an access token. It might be useful to add it, so that the above text can refer to it. Denis
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth