[Openid-specs-ab] FW: Is an OpenID Connect request really a JWT?

Mike Jones Michael.Jones at microsoft.com
Fri May 18 05:50:51 UTC 2012

For what it's worth, I've received similar feedback from other parties.  We should probably consider changing the description of the request object from being a JWT to being a JWS signed JSON object.

                                                            -- Mike

From: jose-bounces at ietf.org [mailto:jose-bounces at ietf.org] On Behalf Of Manger, James H
Sent: Thursday, May 17, 2012 9:49 PM
To: jose at ietf.org
Subject: [jose] Is an OpenID Connect request really a JWT?

OpenID Connect [http://openid.net/specs/openid-connect-standard-1_0.html#req_param_method] says:
  "The request parameter is a JWT encoded OpenID Request Object...
   The JWT object MAY be signed or signed and encrypted via JWS and JWE"

It gives the example below, which is a JWS with "typ":"JWT". The payload is a JSON object with 8 fields (response_type, client_id, redirect_uri, scope, state, nonce, userinfo (with lots of sub-fields), id_token (with sub-fields)). The payload has none of the 8 reserved claims from the JWT spec (exp, nbf, iat, iss, aud, prn, jti, typ).

Can we really call that a JWT?
It seems implausible that the  8 fields in this example (response_type...) are supposed to be treated as "Private Claim Names" as per the JWT spec.

We have two totally separate ideas both being called "JWT".

1.      JSON object carrying a bunch of claims.

2.      A base64-based way to package any blob of bytes in unprotected, signed, or encrypted forms.

Suggestion: use "JWT" for #2; pick a new name for #1 (perhaps JSON Claim Set); lots of changes to spec text.

JWT algorithm = HS256

HMAC HASH Key = 'aaa'

JSON Encoded Header = "{"alg":"HS256","typ":"JWT"}"

JSON Encoded Payload = "{"response_type":"code id_token",



    "scope":"openid profile",







JWT = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZ









James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120518/142c7206/attachment-0001.html>

More information about the Openid-specs-ab mailing list