[Openid-specs-mobile-profile] [Async JWT Profile] draft-oauth-versatile-jwt-profile-01

Manger, James James.H.Manger at team.telstra.com
Wed Mar 29 01:41:56 UTC 2017

Hi Nicolas,

A couple of comments on the Async JWT Profile:

1.       This doesn't define general async capabilities for the /token endpoint. It defines async for the one specific case of swapping a JWT for an access token.

2.       Separate grant_type values indicating poll & push support would be better than one ...jwt-bearer:versatile value. The client needs to know the difference to know whether or not to include a client_notification_token (and whether or not it needs to be listening for notifications). The AS needs to know the difference to respond correctly. Separate values allow the AS to indicate support for poll, push, both, or neither by listing 0, 1 or both separate values in grant_types_supported in its metadata.

3.       A POSTed notification doesn't have an HTTP status code to distinguish success and error; both are JSON objects. The spec should explicitly state that the absence or presence of an "error" member in the JSON object distinguishes these cases.

4.       The properties required for a transaction_id are not clear, and I suspect they are quite different for the poll & push cases. Can it be a counter (1,2,3,...)? Can it repeat after the "expires_in" time? In the polling case, transaction_id acts as a bearer token; it would be better renamed poll_token. In the push case, it can probably be ignored as the client can use client_notification_token to link request & notification.

5.       Is it okay for a client to always use the same client_notification_token with a given AS (basically treat it as the AS's password)? Probably yes, just not recommended due to revocation implications.

6.       Need IANA registrations for client_notification_token, transaction_id (or whatever it is renamed to), authorization_pending, slow_down, and the other error codes if existing ones cannot be reused

James Manger

From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of nicolas.aillery at orange.com
Sent: Wednesday, 29 March 2017 12:44 AM
To: openid-specs-mobile-profile at lists.openid.net
Subject: [Openid-specs-mobile-profile] [Async JWT Profile] draft-oauth-versatile-jwt-profile-01

Hello everybody,

   Please find in attachment a first draft of a JWT Assertion profile enabling both synchronous and asynchronous interactions.

   Your review will be welcome,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170329/9b0d6d97/attachment.html>

More information about the Openid-specs-mobile-profile mailing list