On 2020-08-03, at 16:42, Carsten Bormann <c...@tzi.org> wrote: > > On 2014-10-06, at 09:54, Mike Jones <michael.jo...@microsoft.com> wrote: > >>> - 4.1.7: maybe worth adding that jti+iss being unique enough is not >>> sufficient and >>> jti alone has to meet that need. In >>> X.509 the issuer/serial has the equivalent property so someone might assume >>> sequential jti values starting at 0 are ok. >> >> Makes sense to add a warning of some kind along these lines. I think I know >> the reasons you say that, but can you expand on that thought a bit before I >> take a stab on writing this up? For instance, while normally true, I don't >> think your observation is true if a relying party will only accept tokens >> from a single issuer. > > So can someone remind me why jti needs to be unique globally, and not just > per issuer?
Anyone? Grüße, Carsten _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
