Would your use-case be better accommodated by changing the requiredness of
the request parameters so that it'd be sufficient to provide either the
subject_token or the actor_token?
I've always felt that it was simpler and more straightforward to always
have the subject token. And that cases where
Hi,
Tim McLean describes an attack vector on JWT-protected services in his
blog post:
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
The culprit is relying on the algorithm in the JWT header. The
workaround/recommendation is to ignore the algorithm from the header
A new meeting session request has just been submitted by Hannes Tschofenig, a
Chair of the oauth working group.
-
Working Group Name: Web Authorization Protocol
Area Name: Security Area
Session Requester: Hannes Tschofenig
Number of
