-
Type: Task
-
Resolution: Won't Do
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
Labels:None
-
Server Security
-
v7.3, v7.0
-
Security 2024-02-19, Security 2024-03-04
The server must reject access tokens containing a 'cnf' claim, as it indicates that the token is sender-constrained and must be validated along with a proof-of-possession of a corresponding client private key. Since the server does not yet support proof-of-possession validation, it must disallow the usage of this claim in all access tokens.