I have a few comments on the signed requests draft: 1. Have there been thoughts on extending the request JWT concept to other grant types, e.g. password and client_credentials? The ability to seal selected request parameters could prove useful there too.
2. The SHA-256 hash is computed over the "resource contents", i.e. not over the JWT [1]. Does this mean that line breaks and white space intended for improving human readability is OK? Perhaps this should be mentioned explicitly. 3. I see that no particular charset for the resource contents referenced by the request_uri is mandated, and there is no mention that the web server should indicate the charset. I suppose this was meant to make JWT deployments / uploads easier. However, this may also lead to problems if the AS tries to validate the SHA-256 hash and doesn't know what charset was used (is anyone actually expected to be validating the fragment if present?) JWT (RFC 7519) is explicit on UTF-8 though. Thanks, Vladimir [1] https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-07#section-4.2 -- Vladimir Dzhuvinov
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
