[Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs

Brian Campbell bcampbell at pingidentity.com
Mon Oct 28 20:51:37 UTC 2013

Is it up to the client as to if it will produce single-use JWTs? Or is it
up the the AS as it if it wants to always enforce single-use? If a client
signals that the JWT is single-use via the inclusion of a jti claim, then
the AS has the choice to track for single-use or not. But, in that case,
the AS can't mandate that the client send jti. For some reason I'd always
thought of it as exclusively up to the AS. Though that can have interop

There maybe implications on or from the OAuth assertion drafts with this
too. The jti claim is optional in draft-ietf-oauth-json-web-token and
draft-ietf-oauth-jwt-bearer so it could be used like this. But ID is a
required attribute per schema for SAML assertions. I realize that's beyond
the scope of Connect but it'd be nice if there was common treatment.
There's related language in draft-ietf-oauth-assertions too in sec 5.1 and

To John's point about not having exp be more than 12h - there is language
in all three assertion drafts about the AS being allowed to reject
assertions/jwts that expire unreasonably far in the future. Maybe more
should be said?

My comment on this text originated from thinking that a client (especially
a web server client doing a lot of transactions) might very reasonably try
and avoid having to compute a new RSA signature each time.  And that seemed
to be allowed but might be problematic with an AS that chose to try and

On Sun, Oct 27, 2013 at 5:57 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> In am OK with that.    If that is the case we should say something about
> exp not being set more than 12h (or some reasonable value other wise people
> will set it for a year) into the future if jti is not sent.
> John B.
> On Oct 27, 2013, at 12:52 AM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>  One possibility that comes to mind is saying that if “jti” is included,
> it signals that the JWT is single-use.  What do people think of that
> possibility?****
> What do people expect the “normal” use of these JWTs to be?****
>                                                             -- Mike****
> *From:* Brian Campbell [mailto:bcampbell at pingidentity.com<bcampbell at pingidentity.com>
> ]
> *Sent:* Saturday, October 26, 2013 11:56 AM
> *To:* John Bradley
> *Cc:* Mike Jones; openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] "jti" claim in client_secret_jwt and
> private_key_jwt JWTs****
> ** **
> Not so fast. The same assertion could be used multiple times and, because
> it'll have a relatively short validity window, it will still have
> significantly better security characteristics than a password. Which is
> true for both self-signed and 3rd party issued assertions.****
> Yes, single use is better than that but enforcing single use places a
> significant operational burden on the AS. I don't believe the tradeoff is
> worth it for client auth over a direct TLS connection to the AS.****
> If the AS has the option of enforcing one-time use assertions but no way
> for the client to discover the requirement, then you'll have introp
> problems (or overly complex and probably buggy retry code on the client).*
> ***
> ** **
> On Fri, Oct 25, 2013 at 9:25 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:**
> **
> Self signed assertions must be single use.  That is the point of using
> them vs a password.  If you use the same assertion multiple times it is a
> password. ****
> ** **
> There are reasons to re use a third party assertion, but it has the same
> security as a password.
> Sent from my iPhone****
> On Oct 25, 2013, at 7:49 PM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:****
> The spec currently says this about JWTs used for client_secret_jwt and
> private_key_jwt:****
> jti****
> REQUIRED. JWT ID. A unique identifier for the token. The JWT ID MAY be
> used by implementations requiring message de-duplication for one-time use
> assertions.****
>  ****
> Brian asked us to drop the sentence “The JWT ID MAY be used by
> implementations requiring message de-duplication for one-time use assertions”
> in both cases.****
>  ****
> A few questions:****
> 1.       Why is “jti” required?****
> 2.       How do we expect it to normally be used?****
> 3.       Would it be typical for assertions to be for one-time use in our
> use cases?****
> 4.       How would a client know whether an assertion is for one-time use?
> ****
> 5.       Should “jti” only be present if the assertion is for one-time
> use?****
> 6.       Should it be required at all?****
>  ****
>                                                                 -- Mike***
> *
>  ****
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab****
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131028/fe4a7155/attachment.html>

More information about the Openid-specs-ab mailing list