[Openid-specs-ab] Potential Future Interoperability issues with JWTs for User Info

John Bradley ve7jtb at ve7jtb.com
Thu Aug 25 20:55:03 UTC 2011


Yes the claims need to be negotiated dynamically in the request, or possibly through an out of band mechanism like meta-data.

The concern is that having additional stuff in the JWT that you don't understand may cause security issues for the recipient.
In the generic delivery of non security attributes it is safe to just ignore the claims you don't understand.

John B.
On 2011-08-23, at 9:56 PM, Andreas Åkre Solberg wrote:

> JWT-05 Section 6 defines the following rule for validating JWTs.
> 
>> 6. When used in a security-related context, the Decoded JWT Claim
>>         Segment MUST be validated to only include claims whose syntax
>>         and semantics are both understood and supported.
> 
> The way I interpret this, it would mean that introducing new claims in a schema may be a risky business, because consumers according to the spec should reject the whole JWT even if only a single claim is 'unknown'.
> 
> The same problems may be seen in other parts of the spec where JWTs are used, where the members/claims are likely to get additions; or provider-specific values.
> 
> One way this could be dealt with, would be to have kind of a negotiation of what claims are supported, through metadata. (see my other posts about metadata, giving an example of this).
> 
> Andreas
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/c4bd9971/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/c4bd9971/attachment.p7s>


More information about the Openid-specs-ab mailing list