openid / igov / issues / #4 - oauth2 Profile - 2.1.1 2nd paragraph @torsten comment — Bitbucket

Issue #4 closed

Paul Grassi created an issue 2019-03-05

"The client then presents that authorization code along with its own credentials (private_key_jwt) to the authorization server's token endpoint to obtain an access token"

Why does the draft recommend private_key_jwt only? There are other credentials around based on public key crypto, e.g. X.509 certs and mTLS.

Comments (3)

Paul Grassi Account Deactivated reporter
- changed title to oauth2 Profile - 2.1.1 2nd paragraph @torsten comment
- 2019-03-05T22:30:16+00:00
Paul Grassi Account Deactivated reporter
We chose private_key_jwt since it is the simplest approach with the same security props as certs. I'm not against changing to say 'asym crypt' with a should do jwt and may do PKI. But for now this was our approach.
- 2019-03-15T19:17:45+00:00
Paul Grassi Account Deactivated reporter
- changed status to closed
See comment.
- 2019-03-15T19:17:53+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: closed

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!