The token we receive from the OAUTH endpoint of our Azure ACS namespace has a (decoded_ header field given below.
Using fiddler tools base64 decoder, we change – and _ back to + and /, and add the padding char(s)
It’s supposed to be a hash, and probably an SHA1 hash.
We see our GoDaddy cert is:
Now lets say that the cert has a critical extension. And it’s a URL, say, that demand that the verified contact a given OCSP responder.
If we now receive the JWT over a ws-trust channel, will the seucrity token resolvers pick up the JWT’s reference, locate the cert AND verify the cert chain?