On Mon, Jan 13, 2020 at 12:32:41PM -0500, Justin Richer wrote: > To be clear, I’m not saying we suggest a particular form, and I agree that we > shouldn’t specify that “it’s a JWT” or something of that nature. But if we > call the result of PAR “thing X” and the target of request_uri “thing X” in > JAR, then we’re compatible without saying what “thing X” needs to be in all > cases. >
That seems fair. What properties would a given "thing X" need to have in order to work, though -- uniqueness over a specific period of time? Unpredictability? More? -Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
