Perhaps quite late, but a few comments/questions related to this: 1) When decoded, all the JWT samples are missing the "typ" claim from the header, which I think should be "oauth.authz.req+jwt".
2) When validating the JAR if we are to validate the "typ" then this would be incompatible with OIDC's request object, I think? 3) When the JAR is passed by reference, then the HTTP response Content-Type of "application/oauth.authz.req+jwt" would also seem to break or be incompatible with OIDC's request object passed by reference? There might need to be clarification when mixing this w/ an OIDC OP implementation. TIA -Brock
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth