[Openid-specs-ab] FW: Is an OpenID Connect request really a JWT?

Mike Jones Michael.Jones at microsoft.com
Fri May 18 05:50:51 UTC 2012


For what it's worth, I've received similar feedback from other parties.  We should probably consider changing the description of the request object from being a JWT to being a JWS signed JSON object.

                                                            -- Mike

From: jose-bounces at ietf.org [mailto:jose-bounces at ietf.org] On Behalf Of Manger, James H
Sent: Thursday, May 17, 2012 9:49 PM
To: jose at ietf.org
Subject: [jose] Is an OpenID Connect request really a JWT?

OpenID Connect [http://openid.net/specs/openid-connect-standard-1_0.html#req_param_method] says:
  "The request parameter is a JWT encoded OpenID Request Object...
   The JWT object MAY be signed or signed and encrypted via JWS and JWE"

It gives the example below, which is a JWS with "typ":"JWT". The payload is a JSON object with 8 fields (response_type, client_id, redirect_uri, scope, state, nonce, userinfo (with lots of sub-fields), id_token (with sub-fields)). The payload has none of the 8 reserved claims from the JWT spec (exp, nbf, iat, iss, aud, prn, jti, typ).

Can we really call that a JWT?
It seems implausible that the  8 fields in this example (response_type...) are supposed to be treated as "Private Claim Names" as per the JWT spec.

We have two totally separate ideas both being called "JWT".

1.      JSON object carrying a bunch of claims.

2.      A base64-based way to package any blob of bytes in unprotected, signed, or encrypted forms.

Suggestion: use "JWT" for #2; pick a new name for #1 (perhaps JSON Claim Set); lots of changes to spec text.



JWT algorithm = HS256

HMAC HASH Key = 'aaa'



JSON Encoded Header = "{"alg":"HS256","typ":"JWT"}"

JSON Encoded Payload = "{"response_type":"code id_token",

    "client_id":"s6BhdRkqt3",

    "redirect_uri":"https://client.example.com/cb",

    "scope":"openid profile",

    "state":"af0ifjsldkj",

    "nonce":"n-0S6_WzA2Mj",

    "userinfo":{"claims":{"name":null,"nickname":{"optional":true},

        "email":null,"verified":null,

        "picture":{"optional":true}}},

    "id_token":{"max_age":86400,"claims":{"acr":{"values":["2"]}}}



JWT = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZ

    SBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtxdDMiLCJyZWRpcmVjdF91cmkiO

    iJodHRwczpcL1wvY2xpZW50LmV4YW1wbGUuY29tXC9jYiIsInNjb3BlIjoib3BlbmlkI

    HByb2ZpbGUiLCJzdGF0ZSI6ImFmMGlmanNsZGtqIiwibm9uY2UiOiJuLTBTNl9XekEyT

    WoiLCJ1c2VyaW5mbyI6eyJjbGFpbXMiOnsibmFtZSI6bnVsbCwibmlja25hbWUiOnsib

    3B0aW9uYWwiOnRydWV9LCJlbWFpbCI6bnVsbCwidmVyaWZpZWQiOm51bGwsInBpY3R1c

    mUiOnsib3B0aW9uYWwiOnRydWV9fX0sImlkX3Rva2VuIjp7Im1heF9hZ2UiOjg2NDAwL

    CJjbGFpbXMiOnsiYWNyIjp7InZhbHVlcyI6WyIyIl19fX19.ou2Yc1B9a5iZLqbzBxE9

    5aNS0pSfRClCqM77n85ehGo



--
James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120518/142c7206/attachment-0001.html>


More information about the Openid-specs-ab mailing list