DPoP mentions the **ASCII encoding** of a token value. This appears twice in the spec:
*section 4.2. DPoP Proof JWT Syntax*... ath: hash of the access token. The value MUST be the result of a base64url encoding (as defined in Section 2 of [RFC7515]) the SHA-256 [SHS] hash of the ASCII encoding of the associated access token's value. and *section 12.7. JSON Web Token Claims Registration* ... Access token hash: ... Claim Description: The base64url encoded SHA-256 hash of the ASCII encoding of the associated access token's value. I'm trying to develop a bunch of test cases, and would like to know the meaning more precisely. Does ASCII encoding mean that the algorithm should (1) treat the access token's value as an array(or a sequence) of unsigned bytes, and (2) clear the most-significant-bit (MSB) of each byte in the array. (3) calculate SHA-256 of the byte array obtained in step 2. (4) calculate the base64url encoding of the bytes obtained in step 3. Is this the correct interpretation? Especially the step 2 that clears the MSB of each byte? (I'm not assuming tokens to be JWTs; intend to support proprietary token representations and opaque tokens). Thank you! Devi Prasad
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth