From a security POV please force HTTPS as we see in 5.2.1. The only performance
problem with HTTPS is that it's not used enough. There is no good reason for a
security framework to support HTTP.
Aloha,
Jim
> On Mar 24, 2017, at 9:15 AM, Dave Tonge wrote:
>
> Hi Nat and John
>
> I have some q
Hi Nat and John
I have some questions re the JWT Secured Authorization Request spec
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-12
*1. Does the request_uri always have to be an URL? *
If the request object is hosted by the client then it makes sense, but if
10.3.d is followed and the AS p
I have 2 comments.
1.At the bottom of page 13, the text states:
Token replay is also not possible since an eavesdropper will also
have to obtain the corresponding private key or shared secret
that is bound to the access token.
Saying "Token replay is also not possible" is incorrect
