Hi
Re: JWT
I understand your concern and we can put some explanatory notes. Having
said that, JAR is still a valid JWT, I think :-)
Re: client_id
We actually discussed client_id issues with OpenID Connect WG Call
yesterday as well.
I hear a pretty strong voice from the developer community that th
The following errata report has been verified for RFC6819,
"OAuth 2.0 Threat Model and Security Considerations".
--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5965
--
Status: Verified
Type:
Rephrasing Annabelle's description to highlight the issue:
The AS says "here are the keys to use to verify all of the tokens that *we*
have signed"
Separating duties in a large system is good cryptographic hygiene, IE, one
component signs ID Tokens, another signs access tokens.
On Wed, Jan 29,
