+1
KISS
ᐧ
On Tue, Sep 8, 2020 at 3:55 PM John Bradley wrote:
> +1
> On 9/8/2020 7:45 PM, Brian Campbell wrote:
>
> Indeed there are cases, as you point out, where the key might be knowable
> to the server via some other means, which makes the "jwk" header in the
> DPoP proof not strictly
+1
On 9/8/2020 7:45 PM, Brian Campbell wrote:
> Indeed there are cases, as you point out, where the key might be
> knowable to the server via some other means, which makes the "jwk"
> header in the DPoP proof not strictly necessary. And while omitting
> the key in such cases would reduce the size
Indeed there are cases, as you point out, where the key might be knowable
to the server via some other means, which makes the "jwk" header in the
DPoP proof not strictly necessary. And while omitting the key in such cases
would reduce the size of some messages (the DPoP proof anyway), such
Denis
The objective of this document is to standardize the token the AS shares
with the RS. It is not to standardize how the client can read the token.
Just because the user is using the client, that does not mean the user
wants the client to see any claims about themselves. Letting the client
Hi Hannes,
Two comments between the lines.
Hi Victorio, Hi all,
I am doing my shepherd write-up for
draft-ietf-oauth-access-token-jwt-07. Reading through the draft I have
a few minor suggestions:
Section 2:
I would delete this sentence "JWT access tokens are regular JWTs
complying with
To enable each "instance" of a client application to use a key pair which
is dedicated to the instance, the public key needs to be included in the
DPoP proof. On the other hand, in the scenario you described, all instances
of the client application have to share one key pair. If client application
Hi all,
In section 4.1 of draft-ietf-oauth-dpop-01, the "jwk" header parameter is
REQUIRED. However, there are some cases where "jwk" is not necessary in theory.
For example, consider a case where the client is registered with the
Authorization Server, and its one and only public key is also
Hi Victorio, Hi all,
I am doing my shepherd write-up for draft-ietf-oauth-access-token-jwt-07.
Reading through the draft I have a few minor suggestions:
Section 2:
I would delete this sentence "JWT access tokens are regular JWTs complying with
the requirements described in this section."