Hm, the ID Tokens our OIDC connect endpoint produces currently contain a “cid” claim, which if I understand correctly is used for this.  It’s very useful. “cid” seems slightly more mnemonic.  -Tim<br><br><div class="gmail_quote">
On Mon, Dec 10, 2012 at 5:33 PM, Nat Sakimura <span dir="ltr"><<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p style="line-height:20px;color:rgb(51,51,51);font-size:14px;font-family:sans-serif;margin:0px;word-wrap:break-word;padding:0px">As it was discussed during today's call, here is the concrete proposal that I am making. </p>

<p style="line-height:20px;color:rgb(51,51,51);font-size:14px;font-family:sans-serif;margin:0px;word-wrap:break-word;padding:0px">I would take them to OAuth ML if you guys agree. </p><p style="line-height:20px;color:rgb(51,51,51);font-size:14px;font-family:sans-serif;margin:0px;word-wrap:break-word;padding:0px">

<br></p><p style="line-height:20px;color:rgb(51,51,51);font-size:14px;font-family:sans-serif;margin:0px;word-wrap:break-word;padding:0px"></p><p style="margin:0px;padding:0px;word-wrap:break-word">
There are two types: Brief one, and more specified one.</p><p style="margin:0px;padding:0px;word-wrap:break-word"></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b>(Option 1) Really brief one</b></p><div>

<pre style="font-family:'Bitstream Vera Sans Mono','DejaVu Sans Mono',Monaco,monospace;font-size:12px;line-height:1.4;margin-top:9px;margin-bottom:9px;border:1px solid rgb(204,204,204);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;padding:9px 12px;background-color:rgb(245,245,245);overflow-x:auto">
4<span>.</span>1<span>.</span>9<span>.</span> "<span>reg</span>" <span>(</span><span>Registered</span> <span>to</span><span>)</span> <span>Claim</span>

<span>The</span> "<span>reg</span>" <span>(</span><span>registered</span> <span>to</span><span>)</span> <span>claim</span> <span>is</span> <span>the</span> <span>Client</span> <span>ID</span> <span>of</span> <span>the</span> <span>user</span> <span>of</span> <span>the</span> 
<span>JWT</span> <span>that</span> <span>the</span> <span>audience</span> <span>is</span> <span>able</span> <span>to</span> <span>identify</span> <span>the</span> <span>client</span> <span>with</span><span>.</span> 
<span>This</span> <span>claim</span> <span>is</span> <span>OPTIONAL</span><span>.</span>
</pre><div><span><br></span></div></div><p></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b>(Option 2) Brief one</b></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word">Add the following to the JWT.</p>

<div><pre style="font-family:'Bitstream Vera Sans Mono','DejaVu Sans Mono',Monaco,monospace;font-size:12px;line-height:1.4;margin-top:9px;margin-bottom:9px;border:1px solid rgb(204,204,204);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;padding:9px 12px;background-color:rgb(245,245,245);overflow-x:auto">
4<span>.</span>1<span>.</span>9<span>.</span> "<span>reg</span>" <span>(</span><span>Registered</span> <span>to</span><span>)</span> <span>Claim</span>

<span>The</span> "<span>reg</span>" <span>(</span><span>registered</span> <span>to</span><span>)</span> <span>claim</span> <span>identifies</span> <span>the</span> <span>client</span> <span>that</span> <span>the</span> <span>JWT</span> <span>is</span> 
<span>intended</span> <span style="color:rgb(0,64,128)">for</span><span>.</span> <span>The</span> <span>client</span> <span>intended</span> <span>to</span> <span>use</span> <span>the</span> <span>JWT</span> <span>MUST</span> <span>be</span> 
<span>identified</span> by the audience <span>with</span> <span>the</span> <span>value</span> <span>of</span> <span>this</span> <span>claim</span><span>.</span>

<span>The</span> "<span>reg</span>" <span>value</span> <span>is</span> <span>a</span> <span style="color:rgb(0,64,128)">case</span> <span>sensitive</span> <span>string</span> <span>containing</span> <span>a</span> <span>StringOrURI</span> <span>value</span><span>.</span>
<span>This</span> <span>claim</span> <span>is</span> <span>OPTIONAL</span><span>.</span> <span>If</span> <span>the</span> <span>principal</span> <span>processing</span> <span>the</span> <span>claim</span> <span>does</span> <span>not</span> 
<span>identify</span> <span>the</span> <span>user</span> <span>of</span> <span>the</span> <span>JWT</span> <span>with</span> <span>the</span> <span>identifier</span> <span>in</span> <span>the</span> "<span>reg</span>" <span>claim</span> <span>value</span><span>,</span> 
<span>then</span> <span>the</span> <span>JWT</span> <span>MUST</span> <span>be</span> <span>rejected</span><span>.</span> <span>The</span> <span>interpretation</span> <span>of</span> <span>the</span> <span>registered</span> <span>to</span> 
<span>value</span> <span>is</span> <span>generally</span> <span>application</span> <span>specific</span><span>.</span>
</pre></div><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b><br></b></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b>(Option 3) More specified one</b></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word">

Add the following to the JWT.</p><div><pre style="font-family:'Bitstream Vera Sans Mono','DejaVu Sans Mono',Monaco,monospace;font-size:12px;line-height:1.4;margin-top:9px;margin-bottom:9px;border:1px solid rgb(204,204,204);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;padding:9px 12px;background-color:rgb(245,245,245);overflow-x:auto">
4<span>.</span>1<span>.</span>9<span>.</span> "<span>reg</span>" <span>(</span><span>Registered</span> <span>to</span><span>)</span> <span>Claim</span>

<span>The</span> "<span>reg</span>" <span>(</span><span>registered</span> <span>to</span><span>)</span> <span>claim</span> <span>identifies</span> <span>the</span> <span>client</span> <span>that</span> <span>the</span> <span>JWT</span> <span>is</span> 
<span>intended</span> <span style="color:rgb(0,64,128)">for</span><span>.</span> <span>The</span> <span>client</span> <span>intended</span> <span>to</span> <span>use</span> <span>the</span> <span>JWT</span> <span>MUST</span> <span>be</span> 
<span>identified</span> by the audience <span>with</span> <span>the</span> <span>value</span> <span>of</span> <span>this</span> <span>claim</span><span>.</span>

<span>The</span> "<span>reg</span>" <span>value</span> <span>is</span> <span>a</span> <span style="color:rgb(0,64,128)">case</span> <span>sensitive</span> <span>string</span> <span>containing</span> <span>a</span> <span>StringOrURI</span> <span>value</span><span>.</span>
<span>This</span> <span>claim</span> <span>is</span> <span>OPTIONAL</span><span>.</span> <span>If</span> <span>the</span> <span>principal</span> <span>processing</span> <span>the</span> <span>claim</span> <span>does</span> <span>not</span> 
<span>identify</span> <span>the</span> <span>user</span> <span>of</span> <span>the</span> <span>JWT</span> <span>with</span> <span>the</span> <span>identifier</span> <span>in</span> <span>the</span> "<span>reg</span>" <span>claim</span> <span>value</span><span>,</span> 
<span>then</span> <span>the</span> <span>JWT</span> <span>MUST</span> <span>be</span> <span>rejected</span><span>.</span> <span>The</span> <span>interpretation</span> <span>of</span> <span>the</span> <span>registered</span> <span>to</span> 
<span>value</span> <span>is</span> <span>generally</span> <span>application</span> <span>specific</span><span>.</span>

<span>A</span> <span>typical</span> <span>example</span> <span>of</span> <span>a</span> <span>registered</span> <span>to</span> <span>claim</span> <span>includes</span> <span>following</span><span>:</span> 
<span>*</span> <span>A</span> <span>base64url</span> <span>encoded</span> <span>JWK</span><span>.</span> 
<span>*</span> <span>A</span> <span>base64url</span> <span>encoded</span> <span>DER</span><span>.</span> 
<span>*</span> <span>A</span> <span>URL</span> <span>that</span> <span>points</span> <span>to</span> <span>the</span> <span>key</span> <span>material</span> <span>that</span> <span>the</span> <span>audience</span> <span>can</span> <span>use</span> <span>to</span> 
  <span>authenticate</span> <span>the</span> <span>user</span> <span>of</span> <span>the</span> <span>JWT</span><span>.</span> 
<span>*</span> <span>client_id</span> <span>that</span> <span>the</span> <span>audience</span> <span>can</span> <span>use</span> <span>to</span> <span>authenticate</span> <span>and</span> 
  <span>identify</span> <span>the</span> <span>client</span><span>.</span>

4<span>.</span>1<span>.</span>10 "<span>rct</span>" <span>(</span><span>Registered</span> <span>to</span> <span>claim</span> <span>type</span><span>)</span>

<span>The</span> "<span>rct</span>" <span>(</span><span>Registered</span> <span>to</span> <span>claim</span> <span>type</span><span>)</span> <span>identifies</span> <span>the</span> <span>type</span> <span>of</span> <span>the</span> "<span>reg</span>" <span>claim</span><span>.</span> 
<span>It</span> <span>is</span> <span>a</span> <span>StringOrURI</span> <span>value</span><span>.</span> <span>The</span> <span>defined</span> <span>values</span> <span>are</span> <span>the</span> <span>following</span><span>:</span>

"<span>jwk</span>" <span>The</span> <span>value</span> <span>of</span> <span>the</span> "<span>reg</span>" <span>claim</span> <span>is</span> <span>a</span> <span>base64url</span> <span>encoded</span> <span>JWK</span> <span>of</span> 
<span>the</span> <span>registered</span> <span>client</span><span>.</span>

"<span>x5u</span>" <span>The</span> <span>value</span> <span>of</span> <span>the</span> "<span>reg</span>" <span>claim</span> <span>is</span> <span>the</span> <span>URL</span> <span>that</span> <span>points</span> <span>to</span> <span>the</span> <span>public</span> 
<span>key</span> <span>certificate</span> <span>of</span> <span>the</span> <span>registered</span> <span>client</span><span>.</span> <span>The</span> <span>format</span> <span>of</span> <span>the</span> <span>content</span> 
<span>that</span> <span>x5u</span> <span>points</span> <span>to</span> <span>is</span> <span>described</span> <span>in</span> <span>section</span> 4<span>.</span>1<span>.</span>4 <span>of</span> <span>the</span> <span>JSON</span> <span>Web</span> <span>Signature</span><span>.</span>

"<span>client_id</span>" <span>The</span> <span>value</span> <span>of</span> <span>the</span> "<span>reg</span>" <span>claim</span> <span>is</span> <span>the</span> <span>Client</span> <span>ID</span> <span>of</span> <span>the</span> <span>client</span> 
<span>that</span> <span>the</span> <span>audience</span> <span>of</span> <span>the</span> <span>JWT</span> <span>is</span> <span>able</span> <span>to</span> <span>use</span> <span>to</span> <span>authenticate</span> <span>the</span> <span>client</span><span>.</span>
</pre></div><p style="margin:10px 0px;padding:0px;word-wrap:break-word">Alternatively, they can be added to Table 1 of the Messages, but I think it is general enough that it should live in JWT.</p><span class="HOEnZb"><font color="#888888"><p>
</p>-- <br>Nat Sakimura (=nat)<div>
Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div><br>
</font></span><br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br>