-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Public key in JWT #44
Comments
Thanks. Just to check: The That works fine here because the registration is self-signed, but if it ever wasn't (e.g. if we added cross-signing between sessions at some point) would it still make sense? |
Yes. That's from https://www.rfc-editor.org/rfc/rfc7515#section-4.1.3
It's hard to say in the abstract or hypothetical but wouldn't it make sense to figure out how that would work and define it when/if such a thing was added? |
Please consider using the
jwk
header parameter to convey the public key in the JWT sent by the browser. That would better leverage existing standards, be similar to how DPoP did much the same thing: https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-proof-jwt-syntax, and remove ambiguity of"key": "public key",
in the current example.The text was updated successfully, but these errors were encountered: