2019-03-17 UTC
# Zegnat I don’t think there is a lot left from assertions when you ignore the part that makes assertions self contained. Now when you receive an assertion you need to check who is is for (example.com) who the issuer is (example.com/auth) then you need to contact who it is for to see if they still use that issuer (fetch example.com and check if auth_endpoint is /auth) and then you need to contact the issuer to see if the assertion is valid at