Why not leave this to be an AS policy, or to be defined by specific
profiles?
We have had a simple AS setting which allows or prohibits parameters
outside the JWT:
* If parameters outside the JWT are allowed, they are merged, with the
JWT-secured ones having precedence.
* If parameters o
Hi Annabelle,
We recently implemented PAR in a release. What security risks do AS
users face if the clients encrypt to the same JWK set?
If there are general issues with that, do they also hold for clients?
Because an OP / AS can potentially issue multiple types of encrypted
JWTs at separate endp
