Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?

+1 KISS ᐧ On Tue, Sep 8, 2020 at 3:55 PM John Bradley wrote: > +1 > On 9/8/2020 7:45 PM, Brian Campbell wrote: > > Indeed there are cases, as you point out, where the key might be knowable > to the server via some other means, which makes the "jwk" header in the > DPoP proof not strictly

Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?

+1 On 9/8/2020 7:45 PM, Brian Campbell wrote: > Indeed there are cases, as you point out, where the key might be > knowable to the server via some other means, which makes the "jwk" > header in the DPoP proof not strictly necessary. And while omitting > the key in such cases would reduce the size

Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?

Indeed there are cases, as you point out, where the key might be knowable to the server via some other means, which makes the "jwk" header in the DPoP proof not strictly necessary. And while omitting the key in such cases would reduce the size of some messages (the DPoP proof anyway), such

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Denis The objective of this document is to standardize the token the AS shares with the RS. It is not to standardize how the client can read the token. Just because the user is using the client, that does not mean the user wants the client to see any claims about themselves. Letting the client

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hi Hannes, Two comments between the lines. Hi Victorio, Hi all, I am doing my shepherd write-up for draft-ietf-oauth-access-token-jwt-07. Reading through the draft I have a few minor suggestions: Section 2: I would delete this sentence "JWT access tokens are regular JWTs complying with

Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?

To enable each "instance" of a client application to use a key pair which is dedicated to the instance, the public key needs to be included in the DPoP proof. On the other hand, in the scenario you described, all instances of the client application have to share one key pair. If client application

[OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?

Hi all, In section 4.1 of draft-ietf-oauth-dpop-01, the "jwk" header parameter is REQUIRED. However, there are some cases where "jwk" is not necessary in theory. For example, consider a case where the client is registered with the Authorization Server, and its one and only public key is also

[OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hi Victorio, Hi all, I am doing my shepherd write-up for draft-ietf-oauth-access-token-jwt-07. Reading through the draft I have a few minor suggestions: Section 2: I would delete this sentence "JWT access tokens are regular JWTs complying with the requirements described in this section."