Section 3, it is unclear whether the Request Object can be a JWE only or if a JWS is always used

Issue #8 resolved
Nat Sakimura repo owner created an issue

From the wording in Section 3, it is unclear whether the Request Object can be a JWE only or if a JWS is always used (with alg:none for unsigned) and is nested within a JWE when encryption but not singing is needed. To my reading there is text that suggest both cases. Which is it? I think some clarification is needed around this. (Brian Campbell)

The intent is that it can be:

  • JWS only
  • JWE only
  • JWSed then JWEed.

The editor tried to reconstruct the section to clarify it. Please see -07 to find out if it worked. A concrete text would be appreciated.

Comments (1)

  1. Log in to comment