Hi all, Great to see the "Identity Assertion JWT Authorization Grant <https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/>" proposal being accepted by OAuth. I'd like to propose that we should not assume that the issuer of the ID-Token is the same as the issuer of the ID-JAG. There doesn't seem to be any reason provided for this either in the draft or in the short discussion we had today.
It's just something that is assumed in the draft, and I feel that can be generalized without affecting anything in the draft. To address Aaron's response that "if you want them separate, then you return to the ID-Chaining draft": I feel there's a lot of value in this (ID-JAG) specification, and being able to apply to more use cases broadens the value of this specification. I'd love to know what could be potential issues if the ID-JAG issuer is not assumed to be the same as the ID-Token issuer. Thanks, Atul
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
