[Openid-specs-mobile-profile] Issue #93: use Public Claim Names for CIBA JWT claims (openid/mobile)

Brian Campbell issues-reply at bitbucket.org
Mon Oct 1 20:22:01 UTC 2018

New issue 93: use Public Claim Names for CIBA JWT claims

Brian Campbell:

Related to Issue #86 CIBA needs IANA Considerations, there are two new JWT claims in  10.3.1. Successful Token Delivery - rt_hash and auth_req_id. 

New claims used in a specification really should be registered or use a collision-resistant name a.k.a. a Public Claim Name as discussed at https://tools.ietf.org/html/rfc7519#section-4.2  

Based on the advice to the Designated Experts about claims registration https://tools.ietf.org/html/rfc7519#section-10.1 and what I know about how that advice has been interpreted, I suspect there would be some push-back on the registration requests for rt_hash as it's written now and for auth_req_id in general.    

Given that in CIBA the ID token is always passed in the HTTP message body, the size is not of particular concern. I'd propose using public collision resistant names for the non standard JWT claims used in CIBA. Perhaps ```urn:openid:params:jwt:claim:rt_hash``` and ```urn:openid:params:jwt:claim:auth_req_id```.

More information about the Openid-specs-mobile-profile mailing list