I might suggest that thinking about it in the context of interoperability
would be more meaningful than certification tests.
Saying that an AS MUST reject the Request object if it has a typ header and
the value of the header is not ‘oauth.authz.req+jwt’ [1] should allow for
interoperability with
On Sat, Aug 15, 2020 at 3:08 AM Vladimir Dzhuvinov
wrote:
> Regarding the "sub != client_id" check -- could a simple rejection of all
> JWTs with "sub" present suffice?
>
Prohibiting the use of "sub" in request object JWTs would suffice, yes. I'd
suggested the more narrow/specific prohibition
