[Openid-specs-ab] JSON Web Token (JWT) Bearer Profile for OAuth 2.0

John Bradley ve7jtb at ve7jtb.com
Thu Sep 1 17:49:01 UTC 2011 

On 2011-09-01, at 4:09 AM, nov matake wrote:

> Hi all,
> 
> I haven't noticed the "JSON Web Token (JWT) Bearer Profile for OAuth 2.0" spec until now, but it seems interesting for Connecters.
> In this spec, JWT is used as a grant, not an access token.
> 
> I briefly imagined whether id_token could be used as a JWT grant.
> 
> ===
> # Step 1. Authorization Request
> 
> [Request]
> * GET /authorize?response_type=id_token&..
> 
> [Response]
> * https://client.example.com/callback#id_token=YOUR_ID_TOKEN
> * or id_token in query? # BTW, why id_token has to be in fragment?
> 
If it is a query parameter it will leak through referrer and be included in http logs and other places that you don't want it for privacy and security reasons.
> 
> # Step 2. Check Session Request (OPTIONAL)
> 
> [Request]
> * POST /check_session?id_token=YOUR_ID_TOKEN
> 
> [Response]
> * Extracted ID Token in JSON
> 
> 
> # Step 3. Token Request
> 
> [Request]
> * POST /token?grant_type=http://oauth.net/grant_type/jwt/1.0/bearer&jwt=YOUR_ID_TOKEN
> 
You could use the token like this however you still need to authenticate the client.   You have a JWT signed by the server not the client.  
You would still need to pass the client secret, or somehow over sign the JWT with the Client Secret.

The JWT Bearer token profile is for cases where the IdP can validate the clients signature in the JWT.

What I think you are proposing is more like using a JWT for Code.   That doesn't get around needing to ask for code+token in the implicit flow, so that the JS client gets a access token.
That is required when you have a non SSL web host.

John


> [Response]
> * Access Token in JSON
> ===
> 
> If you're interested in it, please give me feedback.
> 
> Thanks in advance
> 
> --
> nov
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/a453b93b/attachment.p7s>

More information about the Openid-specs-ab mailing list