Le 17/05/2026 à 04:08, Ashwin Ambekar a écrit :
EPOP defines a single unified token type that carries both the credential (authorization code, access token, or refresh token) and its cryptographic proof of possessio
For what its worth, SD-JWT [1] already has a mechanism for associating a key binding proof of possession to a JWT in a single token:
<Issuer-signed JWT>~<KB-JWT> Would it make sense, to reuse this syntax in other contexts? [1] https://datatracker.ietf.org/doc/html/rfc9901 Regards, Gabriel _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
