This is a classic case for the BCP: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/230/x5c-path-validation
Developer expects that checking the signature of a JWT with a given JWK will also validate the x5c of the JWK. How the developer obtained the JWK in the first place is not clear from the ticket. I wonder how such mistakes can be prevented at lib API level. If you know a good approach or example, please let me know. Vladimir
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
