Dear all,
draft-ietf-oauth-jwsreq-19 gives guidance on which key use to verify a
JWS' signature (the client's key)
(https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-6.2).
However there no such guidance for JWE encryption:
* any "enc" key published by the AS on its jwks_uri?
* one specific key of the ones listed at the server's jwks_uri? If so,
how to indicate which one in particular?
* out-of-band configuration?
And should it be part of the specification?
Regards,
--
Tangui
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
