Thanks Dominick, I believe they should both use HTTP because that claim and check is about something from HTTP semantics. And the general requirement to use HTTPS is stated elsewhere. I'll update that accordingly as part of IETF last call <https://mailarchive.ietf.org/arch/msg/oauth/ckcPWi5XrtzZ8-mmxBUwDegkw3A/>.
On Sun, Jan 8, 2023 at 8:01 AM Dominick Baier <dba...@leastprivilege.com> wrote: > Hi, > > While implementing I found > > Section 4.2 says > > htu: The *HTTP* target URI (Section 7.1 of [RFC9110]), without query and > fragment parts, of the request to which the JWT is attached. > > > While Section 4.3 says > > the htu claim matches the *HTTPS* URI value for the HTTP request in which > the JWT was received, ignoring any query and fragment parts > > > HTTP vs HTTPS > > cheers > Dominick > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth