I have a fundamental question. While separating signature and payload by a dot "." seems ok, I still have not the answer for the question "why not make everything into JSON and base64url it?".
i.e., Right now, you are proposing: base64url_encode(JSON(payload,envelope)).base64url_encode(signature) Why not base64url_encode(JSON(payload,envelope,signature) It probably is less hassle in terms of coding. (It is true that some parameters gets base64url encoded twice but BTW, some of the envelope parameters such as alg needs to be signed as well to thwart the algorithm replacing attack. -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
