Thank you, Brian, for the reference: A.12 - access token syntax (RFC 6749).
That really helped.
On Tue, Dec 27, 2022 at 10:32 PM Brian Campbell
wrote:
> No bit flipping is needed. It is just meant to say that the bytes of the
> ASCII representation of the access token value are the input to the
No bit flipping is needed. It is just meant to say that the bytes of the
ASCII representation of the access token value are the input to the hash
function. The access token value itself should only be made up of
printable ASCII characters
https://www.rfc-editor.org/rfc/rfc6749#appendix-A.12 BTW.
DPoP mentions the **ASCII encoding** of a token value. This appears twice
in the spec:
*section 4.2. DPoP Proof JWT Syntax*...
ath: hash of the access token. The value MUST be the result of a base64url
encoding (as defined in Section 2 of [RFC7515]) the SHA-256 [SHS] hash of
the ASCII encoding of