I guess it is not true in practice … and now I’m going to have go look at the DPoP usage …
On Thu, Jun 16, 2022 at 2:32 PM Neil Madden <neil.mad...@forgerock.com> wrote: > Is that actually true? The DPoP spec itself is a case in point: it reuses > the existing OIDC “nonce” claim but explicitly says that DPoP nonces are > not like OIDC nonces (section 9): > > “ Developers should also take care to not > > confuse DPoP nonces with the OpenID Connect [OpenID.Core > <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#ref-OpenID.Core>] > ID Token > nonce.” > > > The official IANA registration of “nonce” says: > > > Value used to associate a Client session with an ID Token > > > Does this matter? If not, does it matter if some other spec defines a “htm” > claim with different meaning? > > > On 16 Jun 2022, at 20:50, Dick Hardt <dick.ha...@gmail.com> wrote: > > > > Registering the names provides clarity on use and avoids confusion on the > meaning of a claim — ie two specs won’t have conflicting definitions of > “htm” > > On Thu, Jun 16, 2022 at 10:20 AM Warren Parad <wparad= > 40rhosys...@dmarc.ietf.org> wrote: > >> I think the registration really helps with discovery, especially as an >> implementer. When you see or observe these claims in a JWT, you can google >> them potentially returning no results. If you know about the IANA registry >> you can find them, even if you don't know that the tokens have anything to >> do with DPoP. >> >> On Thu, Jun 16, 2022 at 6:21 PM Neil Madden <neil.mad...@forgerock.com> >> wrote: >> >>> The DPoP spec registers the “htm”, “htu”, and “ath” claims [1]. But do >>> these claims actually make sense outside of a DPoP proof? Presumably the >>> risk of naming collision within a DPoP proof is pretty small, so is there >>> any benefit to registering them rather than just using them as private >>> claims? >>> >>> (I guess I could ask the same question about lots of other entries in >>> the current registry at IANA, many of which look completely app-specific to >>> me). >>> >>> [1]: >>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-12.7 >>> >>> >>> — Neil >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
