[Openid-specs-ab] JWT Header for signed id tokens
Karl McGuinness
me at karlmcguinness.com
Thu Mar 13 18:51:19 UTC 2025
Yes the Command Token in OP Commands is explicitly typed (command+jwt) per
https://openid.github.io/openid-provider-commands/main.html#name-cross-jwt-confusion
-Karl
On Thu, Mar 13, 2025 at 11:33 AM Brian Campbell via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> OP Command JWTs are explicitly typed, aren't they?
>
> On Thu, Mar 13, 2025 at 12:06 PM george--- via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> Hi,
>>
>> As part of OP Commands, a design goal is to re-use the signing mechanisms
>> of the id_tokens in the ecosystem (at least that is my understanding). In
>> looking at the OpenID Connect core spec, it’s not very clear what should be
>> present in the JWT Header object of a signed (JWS) id_token. The examples
>> in the appendix include the ‘kid’ and ‘alg’ claims.
>>
>> I’m wondering if it’s possible for the OP Command to be an explicitly
>> typed JWT to make it very clear it is NOT an id_token (rather than relying
>> on presence or absence of a nonce claim) and still use the same keys for
>> signing. It seems to me that the keys used for signing are not in any way
>> bound to only being used for id_tokens and hence could be used for other
>> JWT based structures.
>>
>> That might make some of this simpler and allow OP Commands to be extended
>> in a cleaner way than trying to maintain some compatibility to id_tokens.
>>
>> Thoughts?
>>
>> George Fletcher
>> Identity Standards Architect
>> Practical Identity LLC
>>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250313/c79196ee/attachment-0001.htm>
More information about the Openid-specs-ab
mailing list