> On 20 Jan 2023, at 3:18 am, Justin Richer <jric...@mit.edu> wrote:
> 
> A JWT cannot be sent as a Byte Sequence because it is not :just: Base64. 
> Specifically, a JWT in compact serialization (which is what’s intended here) 
> is encoded as three sets of Base64url separated by periods “.”, which are 
> outside the base64URL alphabet. If anything, this fits the “token68” rule, 
> which I :think: means that it could be defined as sf-token here, to make it a 
> fully structured field, but I’m not entirely sure. 
Ah, interesting. Token has a constraint on the first character -- it must be a 
letter. Is that always the case for a JWT?

If not, two other options:

- It could be conveyed as a String (surround with ")
- The three components could be decomposed and each conveyed separately

Cheers,


--
Mark Nottingham   https://www.mnot.net/

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to