FWIW, the second paragraph of resource indicators, section 2.1 <https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-02#section-2.1> says to use a JSON array via the following text:
For authorization requests sent as a JWTs, such as when using JWT Secured Authorization Request [I-D.ietf-oauth-jwsreq <https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-02#ref-I-D.ietf-oauth-jwsreq>], a single "resource" parameter value is represented as a JSON string while multiple values are represented as an array of strings. On Mon, Apr 22, 2019 at 2:15 AM Vladimir Dzhuvinov <vladi...@connect2id.com> wrote: > https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17#section-4 > > How should multi-valued request params be expressed in the JWT claims set? > As values in a JSON array? > > { > "iss": "s6BhdRkqt3", > "aud": "https://server.example.com"; <https://server.example.com>, > "response_type": "code id_token", > "client_id": "s6BhdRkqt3", > "redirect_uri": "https://client.example.org/cb"; > <https://client.example.org/cb>, > "scope": "openid", > "state": "af0ifjsldkj", > "some-query-param": [ "val-1", "val-2" ] > } > > Apart from custom params, the resource indicators spec also suggests that > such situations can occur: > > > https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-02#section-2 > > Thanks, > > Vladimir > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
