[Openid-specs-ab] Potential Future Interoperability issues with JWTs for User Info
Andreas Åkre Solberg
andreas.solberg at uninett.no
Wed Aug 24 04:56:29 UTC 2011
JWT-05 Section 6 defines the following rule for validating JWTs.
> 6. When used in a security-related context, the Decoded JWT Claim
> Segment MUST be validated to only include claims whose syntax
> and semantics are both understood and supported.
The way I interpret this, it would mean that introducing new claims in a schema may be a risky business, because consumers according to the spec should reject the whole JWT even if only a single claim is 'unknown'.
The same problems may be seen in other parts of the spec where JWTs are used, where the members/claims are likely to get additions; or provider-specific values.
One way this could be dealt with, would be to have kind of a negotiation of what claims are supported, through metadata. (see my other posts about metadata, giving an example of this).
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110824/b2a930db/attachment.html>
More information about the Openid-specs-ab
mailing list