The auth_session value is completely opaque to the client, and as such the authorization server MUST adequately protect the value from inspection by the client, for example by using a random string or using a JWE if the authorization server is not maintaining state on the backend.
I might be wrong, but I think this is the first time I have seen the usage of JWE in stateless implementations spelled out so explicitly . Maybe not many people notice, but I think JWEs are not very preferred (?). Unless a strong reason to include this example, might be worth removing the highlighted part?
I might be wrong, but I think this is the first time I have seen the usage of JWE in stateless implementations spelled out so explicitly . Maybe not many people notice, but I think JWEs are not very preferred (?). Unless a strong reason to include this example, might be worth removing the highlighted part?