I support adoption We've implemented Client Authentication with JWT-SVIDs in Keycloak, and are already seeing adoption of the preview feature and general interest. It's clear to me why a separate specification is needed due to JWT-SVIDs not being the exact same thing as what you'd expect from a regular client assertion. The separate client_assertion_type makes it a lot clearer to both the client and the authorization server how to validate the JWT-SVID properly, where one important distinction is sub including trust-domain, vs iss claim, which is covered in the spec.
Stian Thorgersen IBM Norge AS NO 931 482 580 MVA Foretaksregisteret Lakkegata 53, 0187 Oslo, Norway Unless otherwise stated above: International Business Machines AS NO 931 482 580 MVA Foretaksregisteret Lakkegata 53, 0187 Oslo, Norway
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
