Right now we are discussing mis-configured clients that have been convinced to use a token or rs endpoint that has been mitm. Adding a new parameter increases attack surface because the rs is now ignoring the token abd believing the header which may have been inserted.
Phil > On Mar 12, 2016, at 11:29, Jim Willeke <j...@willeke.com> wrote: > > Would a header be a concern if TLS was used for transportation? > > -- > -jim > Jim Willeke > >> On Sat, Mar 12, 2016 at 10:03 AM, Phil Hunt (IDM) <phil.h...@oracle.com> >> wrote: >> A header might open another attack vector. Better to parse the jwt and look >> for the issuer assuming the jwt validates. >> >> Phil >> >>> On Mar 12, 2016, at 09:02, Jim Willeke <j...@willeke.com> wrote: >>> >>> Why not register JWT as an access token type and then the the Issuer is >>> implied? >>> >>> -- >>> -jim >>> Jim Willeke >>> >>>> On Sat, Mar 12, 2016 at 8:32 AM, Mike Schwartz <m...@gluu.org> wrote: >>>> Kawasaki-san, >>>> >>>> This is a really good question: how to know the issuer of a bearer token. >>>> Is there a header that could be added to specify the issuer, or other >>>> important metadata? >>>> >>>> - Mike >>>> >>>> >>>> ------------------------------------- >>>> Michael Schwartz >>>> Gluu >>>> Founder / CEO >>>> m...@gluu.org >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
