You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@bdemers I seem to remember you working on similar HTTPS resolution logic for this stuff at one time, no? Any insights into this that I need to be aware of? Or do you want to take a crack at it?
Even though the x5u parameter can exist in either a JWT header or a JWK, any validation mechanism for x5u should be identical (and even shared) between the two. As such, closing this as a duplicate of #408.
https://datatracker.ietf.org/doc/html/rfc7517#section-4.6
If receiving a JWK with x5u, it must be verified as defined in the above spec section before it can be used.
The text was updated successfully, but these errors were encountered: