A header might open another attack vector. Better to parse the jwt and look for the issuer assuming the jwt validates.
Phil > On Mar 12, 2016, at 09:02, Jim Willeke <j...@willeke.com> wrote: > > Why not register JWT as an access token type and then the the Issuer is > implied? > > -- > -jim > Jim Willeke > >> On Sat, Mar 12, 2016 at 8:32 AM, Mike Schwartz <m...@gluu.org> wrote: >> Kawasaki-san, >> >> This is a really good question: how to know the issuer of a bearer token. Is >> there a header that could be added to specify the issuer, or other important >> metadata? >> >> - Mike >> >> >> ------------------------------------- >> Michael Schwartz >> Gluu >> Founder / CEO >> m...@gluu.org >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
