Below is my review of the draft-ietf-oauth-jwsreq-26.txt: Section: 1. Introduction : Signed JWT also provides for non repudiation.
Under the section: Using JWT [RFC7519] as the request encoding instead of query parameters has several advantages: Therefore I suggest adding this: .... (e) (non repudiation) the signed JWT request can be archived by the AS as is and used later in investigation and auditing processes. Section: 10.5 Text block repeated twice" <<When the value of it as a server metadata is "true", then the server MUST reject the authorization request from any client that does not conform to this specification. It MUST also reject the request if the request object uses "alg":"none". If omitted, the default value is "false".>> Section: 12.1 Must a TFP validate every single authorization request to be sent by Client to AS? I thought: - Certificate issued by TFP is proof that the client abides by trust framework principles. Certificate can also contain details on resources accessible to client (e.g. AIS, PIS) - AS understands the content of the certificate and can use it to validate adherence of client to TF. Removing the need to have to send each authz request to the TFP for validation. Best regards, -- Francis Pouatcha Co-Founder and Technical Lead adorsys GmbH & Co. KG https://adorsys-platform.de/solutions/
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
