Section 2.1 says:

> Although JWT access tokens can use any signing algorithm, use of
> asymmetric algorithms is RECOMMENDED

Can this be strengthened to disallow the `none` algorithm? Something like
adding "... and MUST NOT use the "none" algorithm".

Given that the JWT BCP doesn't disallow the "none" algorithm, technically
someone could follow both this JWT Access Token spec and the JWT BCP spec
and end up with an implementation that allows an AS to accept JWTs with the
"none" algorithm.

----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>



On Wed, Apr 15, 2020 at 11:59 AM Rifaat Shekh-Yusef <rifaat.i...@gmail.com>
wrote:

> Hi all,
>
>
>
> This is a second working group last call for "JSON Web Token (JWT) Profile
> for OAuth 2.0 Access Tokens".
>
>
>
> Here is the document:
>
> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06
>
>
>
> Please send your comments to the OAuth mailing list by April 29, 2020.
>
>
>
> Regards,
>
>  Rifaat & Hannes
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to