Strictly speaking the JWT is signed by the "iss" identity provider's private key and validated by the client using the identity providers public key.
Though lots of documents talk about signing with "public keys" using the term more conceptually. You could say "signed by the private portion of the identity providers public key pair" but it is a bit awkward. John B. On Nov 3, 2014, at 4:27 PM, Antonio Sanso <asa...@adobe.com> wrote: > nice stuff Justin. > Little nitpicking: is just me or this sounds a bit weird "signed by the > identity provider's public key” ? > > regards > > antonio > > > On Nov 3, 2014, at 5:30 AM, Justin Richer <jric...@mit.edu> wrote: > >> As of earlier this evening, I've published the article that we've been >> working on about dealing with OAuth and end-user authentication. It's >> available here: >> >> http://oauth.net/articles/authentication/ >> >> Huge thanks to everyone who commented on the text, both here on the list and >> last week at IIW. If there are edits to be made, either reply here or just >> make a pull request directly from GitHub. It's not an RFC, we can keep >> editing it. :) >> >> In the process of putting this together for the site, I also created an >> "Articles" structure on the site so that if there are other topics we want >> to add, we (the community, not just the WG) can do so. >> >> -- Justin >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
