[Openid-specs-ab] Question about secret_type: JWT

Andreas Åkre Solberg andreas.solberg at uninett.no
Thu Aug 25 10:53:01 UTC 2011

On 25. aug. 2011, at 06:39, John Bradley wrote:

> Yes the idea is to use JWS to avoid directly disclosing the secret as is done with basic in the symmetric key case.
> OAuth dosent define a asymetric authentication to the token endpoint.
> The plan was to define a JWT with a single claim of code that would be signed by the RP.


My main point is that, I think there are security issues with that, unless you also require or reccomends that the JWT iss and aud headers are present (I don't think they are in the JWT spec).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/0b831b6a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4448 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/0b831b6a/attachment.p7s>

More information about the Openid-specs-ab mailing list