- changed title to oauth2 Profile - 2.1.1 2nd paragraph @torsten comment
oauth2 Profile - 2.1.1 2nd paragraph @torsten comment
Issue #4
closed
"The client then presents that authorization code along with its own credentials (private_key_jwt) to the authorization server's token endpoint to obtain an access token"
Why does the draft recommend private_key_jwt only? There are other credentials around based on public key crypto, e.g. X.509 certs and mTLS.
Comments (3)
-
Account Deactivated reporter -
Account Deactivated reporter We chose private_key_jwt since it is the simplest approach with the same security props as certs. I'm not against changing to say 'asym crypt' with a should do jwt and may do PKI. But for now this was our approach.
-
Account Deactivated reporter - changed status to closed
See comment.
- Log in to comment