Good point. Thanks, Brian.
We should retrofit typs everywhere..in hindsight.
———
Dominick Baier
On 22. July 2020 at 23:55:20, Brian Campbell (bcampb...@pingidentity.com)
wrote:
Because it wouldn't actually prevent it in this case due to JWT assertion
client authentication (a.k.a.
Even more. Jwsreq should have it. But the authors decided against it.
———
Dominick Baier
On 23. July 2020 at 07:38:04, Dominick Baier (dba...@leastprivilege.com)
wrote:
Good point. Thanks, Brian.
We should retrofit typs everywhere..in hindsight.
———
Dominick Baier
On 22. July 2020 at
Thanks Vladimir, both comments should be easy to address in -03 (HTTPS/TLS
required and SHOULD on short lifetime *and* single use).
On Sun, Jul 19, 2020 at 12:55 PM Vladimir Dzhuvinov
wrote:
> Thanks for the update. With the "require PAR" AS and client metadata the
> spec is now "policy
Because it wouldn't actually prevent it in this case due to JWT assertion
client authentication (a.k.a. private_key_jwt) having come about well
before the JWT BCP and the established concept of using the 'typ' header to
prevent cross-JWT confusion. Thus there's no validation rule regarding the
> On 22. Jul 2020, at 22:16, Vladimir Dzhuvinov wrote:
>
>
> On 21/07/2020 18:43, Torsten Lodderstedt wrote:
>>
>>> On 21. Jul 2020, at 17:40, Vladimir Dzhuvinov
>>> wrote:
>>>
>>>
>>>
>>> On 21/07/2020 17:47, Justin Richer wrote:
> On Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov
On 21/07/2020 18:43, Torsten Lodderstedt wrote:
>
>> On 21. Jul 2020, at 17:40, Vladimir Dzhuvinov
>> wrote:
>>
>>
>>
>> On 21/07/2020 17:47, Justin Richer wrote:
On Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov
wrote:
On 18/07/2020 17:12, Justin Richer wrote:
> I think
Why not use a typ header as suggested by the JWT BCP?
———
Dominick Baier
On 22. July 2020 at 17:37:41, Brian Campbell (
bcampbell=40pingidentity@dmarc.ietf.org) wrote:
The TL;DR here is a somewhat tentative suggestion that a brief security
consideration be added to
The TL;DR here is a somewhat tentative suggestion that a brief security
consideration be added to
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ that prohibits
the inclusion of a 'sub' claim containing the client id value in the
request object JWT so as to prevent the request object JWT