Hi all, Can we say in [1], that the AS should add the value of *state* parameter from the authorization request (if present), to the JWT access token it generates?
This will help to address token injection issue [2], with respect to the implicit grant type. Appreciate your thoughts on this. [1]: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07 [2]: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-4.6 Thanks -Prabath On Tue, May 5, 2020 at 11:19 AM Rifaat Shekh-Yusef <rifaat.i...@gmail.com> wrote: > Hi all, > > > > This is a 3rd working group last call for "JSON Web Token (JWT) Profile > for OAuth 2.0 Access Tokens". > > > > Here is the document: > > https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07 > > > > Please send your comments to the OAuth mailing list by May 12, 2020. > > > > Regards, > > Rifaat & Hannes > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
