I support documenting the use of the issuer to mitigate mix-up attacks. Note
that while issuer was first defined by OpenID Connect, it became art of OAuth
2.0 in RFC 8414 - OAuth 2.0 Authorization Server Metadata.
-- Mike
From: OAuth On
In my (probably simplistic) understanding of things, the root underlying
issue that allows for mix-up in its variations is the lack of anything
identifying the AS in the authorization response. Following from that,
introducing and using an `iss` authorization response parameter has always
seemed
What are the formats of the "roles", "groups", and "entitlements" JWT
claims going to be? Arrays of strings? Arrays of the objects from SCIM
Core? Something else?
Sincerely,
Logan Widick
___
OAuth mailing list
OAuth@ietf.org
