> On Oct 1, 2021, at 11:06 AM, Dick Hardt wrote:
> If there is really only one service, then there is little value in an AS. I
> would have the client post a JWT that has the request payload in it, or a
> detached signature if it is a large payload. Personally, I like sending the
> request
If it were me, I would be looking at one of two options.
If you have a number of resource servers, then I would have one AS that
would manage authentication and authorization of the client. This enables
separation of concerns of client authn and authz from the RS, and puts
client blacklisting in
