Would a header be a concern if TLS was used for transportation? -- -jim Jim Willeke
On Sat, Mar 12, 2016 at 10:03 AM, Phil Hunt (IDM) <phil.h...@oracle.com> wrote: > A header might open another attack vector. Better to parse the jwt and > look for the issuer assuming the jwt validates. > > Phil > > On Mar 12, 2016, at 09:02, Jim Willeke <j...@willeke.com> wrote: > > Why not register JWT as an access token type > <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-types> > and then the the Issuer is implied? > > -- > -jim > Jim Willeke > > On Sat, Mar 12, 2016 at 8:32 AM, Mike Schwartz <m...@gluu.org> wrote: > >> Kawasaki-san, >> >> This is a really good question: how to know the issuer of a bearer token. >> Is there a header that could be added to specify the issuer, or other >> important metadata? >> >> - Mike >> >> >> ------------------------------------- >> Michael Schwartz >> Gluu >> Founder / CEO >> m...@gluu.org >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
