You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The auth_session value is completely opaque to the client, and as such the authorization server MUST adequately protect the value from inspection by the client, for example by using a random string or using a JWE if the authorization server is not maintaining state on the backend.
I might be wrong, but I think this is the first time I have seen the usage of JWE in stateless implementations spelled out so explicitly . Maybe not many people notice, but I think JWEs are not very preferred (?). Unless a strong reason to include this example, might be worth removing the highlighted part?
The text was updated successfully, but these errors were encountered:
I might be wrong, but I think this is the first time I have seen the usage of JWE in stateless implementations spelled out so explicitly . Maybe not many people notice, but I think JWEs are not very preferred (?). Unless a strong reason to include this example, might be worth removing the highlighted part?
The text was updated successfully, but these errors were encountered: