BK DISCUSS: application/jwt too broad
Issue #101
resolved
Relatedly, using application/jwt as the Content-type of the
HTTP response from dereferencing the request_uri with no explicit
indication of the type/profile of JWT used (whether in the content type
or in the JWT claims themselves) gives some risk of misinterpretation of
the content. Consider, for example, when that request_uri is
dereferenced not by the authorization server in the process of
fulfilling an authorization request, but instead by some other service
that expects a different type of JWT.
This second point is a "discuss discuss&" -- it's an important question
and I'd like to talk about it, but it's not clear that any change to the
document will be needed.
Looks like Ben is suggesting to create a new MIME-type such as application/oauth.authz.req+wt
Comments (7)
-
reporter
-
reporter
- edited description
-
assigned issue to
Edmund Jay
- changed title to BK DISCUSS: application/jwt too broad
-
- removed responsible
-
-
assigned issue to
Edmund Jay
-
assigned issue to
-
reporter
- changed status to resolved
Fixes
#101- BK DISCUSS: application/jwt too broad→ <<cset 60f1e494f243>>
-
reporter
fixes
#101: BK DISCUSS: application/jwt too broad, changed misspelling of oauth-authz-req+jwt to oauth.authz.req+jwt→ <<cset eed0d1937923>>
-
reporter
→ <<cset e34667052996>>
- Log in to comment
Perhaps:
application/oauth.authz.req+jwt