On Thu, Sep 26, 2019 at 11:26:31AM +0200, Travis Spencer wrote:
> * Last but certainly not least is the restriction that the current
> version places on disallowing of the introspection JWT response as an
> access token. This is done in numerous places (the note in section 5,
> 8.1, etc.). I
If I understand the proposal correctly, the request URI is opaque to the
client. Correct?
If so, why not just treat it as an opaque string?
If I were implementing the protocol, I would have the blob be a signed
token so that I could verify the integrity before making a database call.
It much