1. Nat Sakimura Avatar Nat Sakimura
  2. Untitled project
  3. oauth-jwsreq
  4. Issues

BK Comments 6

Issue #89 wontfix
Nat Sakimura repo owner created an issue 
Section 6.2

The Authorization Server MUST perform the signature validation of the JSON Web Signature [RFC7515] signed request object. For this, the alg Header Parameter in its JOSE Header MUST match the value of the pre-registered algorithm. The signature MUST be validated against the appropriate key for that client_id and algorithm.

Does "the pre-registered algorithm" concept exist in the specs outside of draft-ietf-oauth-jwt-bcp?

Comments (3)

  1. Nat Sakimura reporter

    Yes. RFC7591 combined with some of the OAuth Dynamic Client Registration Metadata registry forms the concept. RFC7591 allows clients to register the claims that is in the OAuth Dynamic Client Registration Metadata registry. The registry has

    • request_object_signing_alg
    • request_object_encryption_alg

    besides others.

  4. Log in to comment
Assignee
Type
bug
Priority
major
Status
wontfix
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!