Gabriel Corona

What about something such as: > Verify that the client securely scopes a given interactive OAuth authorization flow to a user agent session and transaction. This requires that client generated...

For reference some wording about "iat" and "nbf" (but not "exp") from [FAPI 2.0](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html): > to accommodate clock offsets, shall accept JWTs with an iat or nbf timestamp between 0...

> I would not put iat here that quickly. From this you can assume are the clocks synced, but it is not meant for time-window validation. Note that for DPoP,...

What about something like: > Verify that the consumer of a stateless token accepts the token only if the verification time is within this validity time span in the token...

I'd like your second version better. The two other looks somewhat ambiguous to me. Analysis of the third proposition For example, > Verify that the stateless token is allowed to...

@elarlang, the token introspection part can be skipped if needed. The [definitions](https://www.rfc-editor.org/rfc/rfc7662#section-2.2) of nbf and exp from token introspection reference the definition from JWT (but use them in a separate...

> The claim 'jti' should be validated to identify a specific token, in example to assert that the token is only used once. I would not include this. It's usually...

Yes, I thought it would be better to have this discussed before PR but this could directly be discussed in a PR instead…

@danielcuthbert, OK, I'll try to do that. I think I'd start by including all the things I've mentioned except maybe ARIA and Camellia which appears to quite niche in term...

Some additional things not mentioned which might be relevant. MAC: * Poly1305, approved * This one is important because it is used in current TLS ciphersuites. * note that this...