I agree with Brian’s proposed fix — that is a “target URI” as defined by “HTTP”. The fact that it’s :also: required to be HTTPS is separate.
— Justin On Jan 9, 2023, at 7:58 AM, Brian Campbell <bcampbell=40pingidentity....@dmarc.ietf.org<mailto:bcampbell=40pingidentity....@dmarc.ietf.org>> wrote: Thanks Dominick, I believe they should both use HTTP because that claim and check is about something from HTTP semantics. And the general requirement to use HTTPS is stated elsewhere. I'll update that accordingly as part of IETF last call<https://mailarchive.ietf.org/arch/msg/oauth/ckcPWi5XrtzZ8-mmxBUwDegkw3A/>. On Sun, Jan 8, 2023 at 8:01 AM Dominick Baier <dba...@leastprivilege.com<mailto:dba...@leastprivilege.com>> wrote: Hi, While implementing I found Section 4.2 says htu: The HTTP target URI (Section 7.1 of [RFC9110]), without query and fragment parts, of the request to which the JWT is attached. While Section 4.3 says the htu claim matches the HTTPS URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts HTTP vs HTTPS cheers Dominick _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
