[Openid-specs-risc] Regarding SET and requirement to understand claims
Phillip Hunt
phil.hunt at independentid.com
Tue Jun 27 18:15:04 UTC 2023
Following up on today’s call. SET does not require that all claims be understood (the same as JWT). It does however lay out some security considerations for distinguishing SETs from JWT access tokens Section 3 and 4 of RFC8417 as there was a concern that a SET might be construed as an access token.
8417 does permit event specifications to require wether or not specific claims be understood.
IOW…. if we want to move subject info to the sub_Id in the top level and leave the subject information in deprecated form in the payload, this would not be considered a breaking change.
Phillip Hunt
phil.hunt at independentid.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20230627/2e4e0cb2/attachment.html>
More information about the Openid-specs-risc
mailing list