While some discussion of why explicit typing was not used might be useful to have, that thread started with a request for security considerations prohibiting use of the "sub" with a client ID value. Because such a request JWT could be repurposed for JWT client authentication. And explicit typing wouldn't help in that situation.
On Tue, Aug 11, 2020 at 2:50 PM Benjamin Kaduk via Datatracker < nore...@ietf.org> wrote: > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > [updated to note that, per > https://mailarchive.ietf.org/arch/msg/oauth/Lqu15MJikyZrXZo5qsTPK2o0eaE/ > and the JWT BCP (RFC 8725), some discussion of why explicit typing is not > used would be in order] > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
