At the end of section 3 <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3> it says, 'At least one of the "sub" and "iss" claims MUST be present in the JWT, and in some use cases, both MUST be present.'
Admittedly I've misused RFC 2119 keywords a few times myself, so I say this aware of my own hypocrisy, but shouldn't the second "MUST" in that sentience be a little "must"? I don't think "some use cases" is enough to know when it applies. Maybe even spitting it up into two sentences? Something like, 'At least one of the "sub" and "iss" claims MUST be present in the JWT. Some use cases may require that both be present.'
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth