Mike,
I've read through the JWT spec and I'm curious about something. How do I
specify a signature requirement as the server? I didn't see it but I probably
just missed it. I'm thinking that with very little work a JWT can do
everything that MAC does with greater flexibility, *BUT* the server needs to be
able to require a signed usage. Something I never liked about OAuth 1.0 is
that the server must support all valid signature types, even PLAINTEXT, so I
want to be able to avoid that.
It would require the client to be able to include client generated stuff in the
JWT.
Thanks,
-bill
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
