> On 20 Jan 2023, at 3:18 am, Justin Richer <jric...@mit.edu> wrote: > > A JWT cannot be sent as a Byte Sequence because it is not :just: Base64. > Specifically, a JWT in compact serialization (which is what’s intended here) > is encoded as three sets of Base64url separated by periods “.”, which are > outside the base64URL alphabet. If anything, this fits the “token68” rule, > which I :think: means that it could be defined as sf-token here, to make it a > fully structured field, but I’m not entirely sure.
Ah, interesting. Token has a constraint on the first character -- it must be a letter. Is that always the case for a JWT? If not, two other options: - It could be conveyed as a String (surround with ") - The three components could be decomposed and each conveyed separately Cheers, -- Mark Nottingham https://www.mnot.net/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth