It's the core problem I see MAC solving. I'd be happy enough to define a JWT
variant that does this if that's easier than MAC. What do you think?
________________________________
From: Mike Jones <michael.jo...@microsoft.com>
To: William Mills <wmills_92...@yahoo.com>; "oauth@ietf.org" <oauth@ietf.org>
Sent: Friday, January 4, 2013 2:35 PM
Subject: RE: [OAUTH-WG] December 27, 2012 OAuth Release
There’s no generic OAuth way to do this. There is a way to do it in OpenID
Connect – see request_object_signing_alg, userinfo_signed_response_alg, and
id_token_signed_response_algin
http://openid.net/specs/openid-connect-registration-1_0-13.html#anchor3 and
userinfo_signing_alg_values_supported, id_token_signing_alg_values_supported,
and request_object_signing_alg_values_supportedin
http://openid.net/specs/openid-connect-discovery-1_0-11.html#anchor9.
-- Mike
From:William Mills [mailto:wmills_92...@yahoo.com]
Sent: Friday, December 28, 2012 6:07 PM
To: Mike Jones; oauth@ietf.org
Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release
Mike,
I've read through the JWT spec and I'm curious about something. How do I
specify a signature requirement as the server? I didn't see it but I probably
just missed it. I'm thinking that with very little work a JWT can do
everything that MAC does with greater flexibility, *BUT* the server needs to be
able to require a signed usage. Something I never liked about OAuth 1.0 is
that the server must support all valid signature types, even PLAINTEXT, so I
want to be able to avoid that.
It would require the client to be able to include client generated stuff in the
JWT.
Thanks,
-bill
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
