Issues
- 9
Public key in JWT
#44 opened by bc-pi - 9
HTTP 401 MUST return a WWW-Authenticate header
#65 opened by danmarg - 0
- 9
An attack vector for DBSC:
#35 opened by maxhata - 1
- 1
- 5
`Sec-` prefix for a server header
#59 opened by yoavweiss - 0
PoC using swtpm
#63 opened by theMiddleBlue - 1
Use Outside of Google
#62 opened by amitassaraf - 14
JWS algorithms are case-sensitive
#41 opened by bc-pi - 9
- 2
Why send JWTs two different ways?
#53 opened by sbweeden - 2
- 3
- 1
Reduce latency by including refresh challenge
#29 opened by dickhardt - 1
- 0
- 0
- 7
- 2
Explicitly type the JWT
#27 opened by dickhardt - 56
A simpler flow proposal
#46 opened by el1s7 - 13
how are endpoints conveyed from server to browser?
#45 opened by bc-pi - 5
JWTs are not themselves base64url encoded
#47 opened by bc-pi - 18
- 9
MVP Recommendation: TOTP
#36 opened by wparad - 5
Need for attestation?
#34 opened by jackevans43 - 3
explain `excluded scope`
#30 opened by dickhardt - 2
jti/nonce/challenge value?
#43 opened by bc-pi - 13
Insufficient rationale
#13 opened by simon-friedberger - 0
iat is a number
#42 opened by bc-pi - 13
- 0
- 0
[Fetch] What's stopping us from using the Fetch API configuration to support this?
#39 opened by wparad - 4
- 1
Login Status API?
#32 opened by dickhardt - 1
timed refresh mechanism
#33 opened by dickhardt - 2
- 4
- 0
JWT clarifications needed
#28 opened by dickhardt - 2
IP binding with Cookies cant be enough ?
#25 opened by threatdecoder - 1
Question RE: Tracking and Identity Providers
#24 opened by whitehatguy - 0
Really supportive of this effort!
#22 opened by miketheitguy - 13
- 2
- 3
Diagram mismatch
#16 opened by alextok - 0
Origin trial updates
#17 opened by kmonsen - 2
key_registration_header.svg is hard to read when the reader's browser is dark mode.
#15 opened by aawc - 0
Clarification of BFCache handling
#14 opened by simon-friedberger - 5
Support of different types of tokens is not clear
#11 opened by alextok - 17