In the first JWT, it looks like
"jti": "nonce" should be "jti": "challenge from Sec-Session-Challenge header"
"key":"public key" is vague. Perhaps use a jwk?
Why is the session ID not in the first JWT as a sub?
Why is the second JWT different? Could it not be the same?
It looks like you are intentionally not having a iss claim, clarify it should not be included, as well as what else should not be included. This then leads to describing the JWT verification steps the server should follow
In the first JWT, it looks like
"jti": "nonce"should be"jti": "challenge from Sec-Session-Challenge header""key":"public key"is vague. Perhaps use ajwk?Why is the session ID not in the first JWT as a
sub?Why is the second JWT different? Could it not be the same?
It looks like you are intentionally not having a
issclaim, clarify it should not be included, as well as what else should not be included. This then leads to describing the JWT verification steps the server should follow