r bad examples. For
example,
this example on Gluu's wiki: http://ox.gluu.org/doku.php?id=oxauth:jwt is
blindly
using the value of "jku" to fetch the key used to validate the signature,
without
any way to validate that the URL itself belongs to the issuer.
I'm raising this poi
y do audience checking in order to
validate the access token. I believe this accounts for all the security
considerations, and alleviates the burden from the client to do any
checking itself.
Jared Hanson
Auth0 Inc.
--
Jared Hanson <http://jaredhanson.net/>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
he
corresponding metadata.
It seems to me that the only real utility of this parameter is when
well-known URIs are not being used. Applications (such as MCP) that make
use of discovery using well-known URLs could just profile this as a
requirement, obviating the use of the parameter.
Does this seem l
itical nature
of these validations, I think it's important to resolve this to ensure both
compatibility and security among implementations.
I have some thoughts on how the wording could be modified to make the
algorithm and expected results more clear, but I'll wait on that until
others ha
