[Openid-specs-ab] FW: Is an OpenID Connect request really a JWT?

John Bradley ve7jtb at ve7jtb.com
Fri May 18 11:39:14 UTC 2012


Yes we wound up using the Oauth names rather than the JWT names.   We should make that change.


On 2012-05-18, at 1:50 AM, Mike Jones wrote:

> For what it’s worth, I’ve received similar feedback from other parties.  We should probably consider changing the description of the request object from being a JWT to being a JWS signed JSON object.
>  
>                                                             -- Mike
>  
> From: jose-bounces at ietf.org [mailto:jose-bounces at ietf.org] On Behalf Of Manger, James H
> Sent: Thursday, May 17, 2012 9:49 PM
> To: jose at ietf.org
> Subject: [jose] Is an OpenID Connect request really a JWT?
>  
> OpenID Connect [http://openid.net/specs/openid-connect-standard-1_0.html#req_param_method] says:
>   “The request parameter is a JWT encoded OpenID Request Object…
>    The JWT object MAY be signed or signed and encrypted via JWS and JWE”
>  
> It gives the example below, which is a JWS with “typ”:”JWT”. The payload is a JSON object with 8 fields (response_type, client_id, redirect_uri, scope, state, nonce, userinfo (with lots of sub-fields), id_token (with sub-fields)). The payload has none of the 8 reserved claims from the JWT spec (exp, nbf, iat, iss, aud, prn, jti, typ).
>  
> Can we really call that a JWT?
> It seems implausible that the  8 fields in this example (response_type…) are supposed to be treated as “Private Claim Names” as per the JWT spec.
>  
> We have two totally separate ideas both being called “JWT”.
> 1.      JSON object carrying a bunch of claims.
> 2.      A base64-based way to package any blob of bytes in unprotected, signed, or encrypted forms.
>  
> Suggestion: use “JWT” for #2; pick a new name for #1 (perhaps JSON Claim Set); lots of changes to spec text.
>  
>  
> JWT algorithm = HS256
> HMAC HASH Key = 'aaa'
>  
> JSON Encoded Header = "{"alg":"HS256","typ":"JWT"}"
> JSON Encoded Payload = "{"response_type":"code id_token",
>     "client_id":"s6BhdRkqt3",
>     "redirect_uri":"https://client.example.com/cb",
>     "scope":"openid profile",
>     "state":"af0ifjsldkj",
>     "nonce":"n-0S6_WzA2Mj",
>     "userinfo":{"claims":{"name":null,"nickname":{"optional":true},
>         "email":null,"verified":null,
>         "picture":{"optional":true}}},
>     "id_token":{"max_age":86400,"claims":{"acr":{"values":["2"]}}}
>  
> JWT = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZ
>     SBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtxdDMiLCJyZWRpcmVjdF91cmkiO
>     iJodHRwczpcL1wvY2xpZW50LmV4YW1wbGUuY29tXC9jYiIsInNjb3BlIjoib3BlbmlkI
>     HByb2ZpbGUiLCJzdGF0ZSI6ImFmMGlmanNsZGtqIiwibm9uY2UiOiJuLTBTNl9XekEyT
>     WoiLCJ1c2VyaW5mbyI6eyJjbGFpbXMiOnsibmFtZSI6bnVsbCwibmlja25hbWUiOnsib
>     3B0aW9uYWwiOnRydWV9LCJlbWFpbCI6bnVsbCwidmVyaWZpZWQiOm51bGwsInBpY3R1c
>     mUiOnsib3B0aW9uYWwiOnRydWV9fX0sImlkX3Rva2VuIjp7Im1heF9hZ2UiOjg2NDAwL
>     CJjbGFpbXMiOnsiYWNyIjp7InZhbHVlcyI6WyIyIl19fX19.ou2Yc1B9a5iZLqbzBxE9
>     5aNS0pSfRClCqM77n85ehGo
>  
>  
>  
> --
> James Manger
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120518/93d5db50/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120518/93d5db50/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list