The audience URL is required, is there any documentation about it?
Message Example: why are there new lines after some URL query parameters but not after others?
Message Example: redirect_uri= is probably missing in front of http%3A%2F%2Flocalhost%3A9000%2Fcallback in the two first examples.
Security Consideration: "As specified in the IUA profile, the IUA Authorization Client and Authorization Server actors SHALL support the JWS (signed) alternative of the JWT token."
Does that mean actions shall use JWS, or only support them? It is also unclear in IUA because they say "JWT token shall be signed as specified in JSON Web Signature [RFC7515]. If signed,[...]".
Security Consideration: "As specified in the IUA profile, the IUA Authorization Client and Authorization Server actors SHALL support Any actor who supports this transaction MAY support the JWE (unsigned but encrypted) alternative of the JWT token."
This makes no sense, either all actors implement and use JWEs, or nobody needs to. If it isn't used, then it's only additional complexity in the spec.
The link to the PIXm profile leads to the latest version, while the label specifies v3.0.0.
Typo: code grant flow of the of the IUA → code grant flow of the IUA
The audience URL is required, is there any documentation about it?
Message Example: why are there new lines after some URL query parameters but not after others?
Message Example:
redirect_uri=
is probably missing in front ofhttp%3A%2F%2Flocalhost%3A9000%2Fcallback
in the two first examples.Security Consideration: "As specified in the IUA profile, the IUA Authorization Client and Authorization Server actors SHALL support the JWS (signed) alternative of the JWT token." Does that mean actions shall use JWS, or only support them? It is also unclear in IUA because they say "JWT token shall be signed as specified in JSON Web Signature [RFC7515]. If signed,[...]".
Security Consideration: "As specified in the IUA profile, the IUA Authorization Client and Authorization Server actors SHALL support Any actor who supports this transaction MAY support the JWE (unsigned but encrypted) alternative of the JWT token." This makes no sense, either all actors implement and use JWEs, or nobody needs to. If it isn't used, then it's only additional complexity in the spec.
The link to the PIXm profile leads to the latest version, while the label specifies v3.0.0.
Typo: code grant flow of the of the IUA → code grant flow of the IUA