[Openid-specs-ab] Potential Future Interoperability issues with JWTs for User Info

Andreas Åkre Solberg andreas.solberg at uninett.no
Wed Aug 24 04:56:29 UTC 2011


JWT-05 Section 6 defines the following rule for validating JWTs.

> 6. When used in a security-related context, the Decoded JWT Claim
>         Segment MUST be validated to only include claims whose syntax
>         and semantics are both understood and supported.

The way I interpret this, it would mean that introducing new claims in a schema may be a risky business, because consumers according to the spec should reject the whole JWT even if only a single claim is 'unknown'.

The same problems may be seen in other parts of the spec where JWTs are used, where the members/claims are likely to get additions; or provider-specific values.

One way this could be dealt with, would be to have kind of a negotiation of what claims are supported, through metadata. (see my other posts about metadata, giving an example of this).

Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110824/b2a930db/attachment.html>


More information about the Openid-specs-ab mailing list