y do audience checking in order to
validate the access token. I believe this accounts for all the security
considerations, and alleviates the burden from the client to do any
checking itself.
Jared Hanson
Auth0 Inc.
--
Jared Hanson <http://jaredhanson.net/>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
r bad examples. For
example,
this example on Gluu's wiki: http://ox.gluu.org/doku.php?id=oxauth:jwt is
blindly
using the value of "jku" to fetch the key used to validate the signature,
without
any way to validate that the URL itself belongs to the issuer.
I'm raising this poi
