I think we need to change wording. Sender constraining for confidential client
and refresh tokens does not require any signature. It’s client authentication +
checking the client id matches. I don’t see an issue with this.
> Am 12.03.2020 um 19:36 schrieb Mike Jones
> :
>
>
> +1 on sender co
+1 on sender constraints being RECOMMENDED but not REQUIRED. Different
applications have different risk profiles. We should enable people to make
reasonable choices for their use cases.
Remember that OAuth 1.0 was rejected by the marketplace because implementing
the sender-constraint mechanis
