[Openid-specs-mobile-profile] Issue #165: nbf and jti claims in section 7.1.1. (openid/mobile)

jolivasf issues-reply at bitbucket.org
Fri Sep 27 09:14:45 UTC 2019

New issue 165: nbf and jti claims in section 7.1.1.

Jorge Oliva:

In Section [7.1.1.](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.7.1.1) say that  “The JWT MUST also contain the following [\[RFC7519\]](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#RFC7519) registered claims:“ and then in the list nbf and jti appear, but reading the JWT specification this claims are optionals and also reading OpenId Connect Core Section 6 where describe the “Passing a Request Object by Value“ only say that claims `iss` and `aud` are mandatory if the JWT requets is signed.

The question here is, why CIBA put nbf and jti claim as mandatory?

More information about the Openid-specs-mobile-profile mailing list