I agree, it is in redundant in the JARM case.
I find the text in
https://www.ietf.org/archive/id/draft-meyerzuselhausen-oauth-iss-auth-resp-01.html#name-security-considerations
(the 4th paragraph where JARM & JWTs) are mentioned a bit confusing - I think
it would be good to say something along
Thanks Joseph.
George Fletcher ran a great session on the topic at the last IIW as well.
George: do you have a link?
ᐧ
On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan wrote:
> Hi Dick
>
> I didn’t attend the call so don’t know the background of this and the
> exact situation, but the general
Hi Dick
I didn’t attend the call so don’t know the background of this and the exact
situation, but the general problem is mostly where the Authorization Server’s
app is *not* installed. In that case Android falls back to much weaker
mechanisms that allow other apps to get a look in. App links
Here’s the OSW recording on app2app.
https://www.youtube.com/watch?v=vktyY5CXwjg
From: OAuth
Date: Tuesday, November 3, 2020 at 14:14
To: Joseph Heenan , George Fletcher
Cc: oauth
Subject: Re: [OAUTH-WG] Android App Links (AKA Universal Links)
Thanks Joseph.
George Fletcher ran a great
It sounds that the Security Considerations section or somewhere appropriate
should have a paragraph like below.
When an authorization response includes a JWT whose `iss` claim represents
the issuer identifier of the authorization server, the `iss` claim can be
used as a substitute for the `iss`
I sent in some notes but I don't have a link for the recording. I don't
believe the recordings were being kept much past the end of the
conference. I'm pretty sure I heard that the recordings would be removed
after N days (I don't remember what N was stated as:)
Joseph explanation is better
