Validation of JWT claims, especially those controlling the validity such as iss, exp, or nbf, needs to occur after the processing/unpacking of the disclosures. Such claims will likely usually be in plain text of the payload but as written now https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-05.html#section-6.1-4.2.2.4 checks on them could be omitted, if they are in disclosures. [as discussed after OSW in the Uber to LHR]
bc-pi
commented
1 year ago
Validation of JWT claims, especially those controlling the validity such as iss, exp, or nbf, needs to occur after the processing/unpacking of the disclosures. Such claims will likely usually be in plain text of the payload but as written now https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-05.html#section-6.1-4.2.2.4 checks on them could be omitted, if they are in disclosures. [as discussed after OSW in the Uber to LHR]