I'm trying to prototype some tests for JARM but I'm not 100% clear on the meaning on the spec:
1) Can servers optionally return nbf/iat (they're not mentioned in JARM spec) in the response JWT?
1a) If they can, must those values by valid as per normal JWT rules for nbf/iat?
2) Can servers return other claims in the response JWT or would that be an error or warning? (e.g. returning ‘sub', 'c_hash’ or 'nonce' claims would seem to indicate the server is not really doing the right thing)
3) Is 'kid' a MUST in the header? The text seems to imply so with explicit mentions of kid.
4) Is it an error for a server to return (say) state in the normal query parameters (i.e. returning state both inside and outside the JWT)?
5) It is mandatory for clients to supply ‘state' when using JARM [and scope=openid]? The spec reads like it is required, but ‘state’ is not generally required in FAPI-RW.
(raised as a bug as I suspect it may turn out to be worth clarifying some of these in the spec)