Rephrasing Annabelle's description to highlight the issue:
The AS says "here are the keys to use to verify all of the tokens that *we*
have signed"
Separating duties in a large system is good cryptographic hygiene, IE, one
component signs ID Tokens, another signs access tokens.
On Wed, Jan 29,
The following errata report has been verified for RFC6819,
"OAuth 2.0 Threat Model and Security Considerations".
--
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5965
--
Status: Verified
Type:
Hi
Re: JWT
I understand your concern and we can put some explanatory notes. Having
said that, JAR is still a valid JWT, I think :-)
Re: client_id
We actually discussed client_id issues with OpenID Connect WG Call
yesterday as well.
I hear a pretty strong voice from the developer community that th
