[Openid-specs-ab] [openid/connect] Contradictory OPTIONAL MUSTs in JWT Client Authentication (issue #695)

Brian Campbell issues-reply at bitbucket.org
Fri Jan 11 00:23:46 UTC 2013

--- you can reply above this line ---

New issue 695: Contradictory OPTIONAL MUSTs in JWT Client Authentication

Brian Campbell:

http://openid.net/specs/openid-connect-messages-1_0-14.html#client_authentication for both client_secret_jwt and private_key_jwt has "The JWT MUST contain the Claims:" followed by a number of claims that including "iat" that is listed as OPTIONAL within the context of MUST, which is confusing at best and a logical contraindication at worse.

Note that iat is optional in http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-04 so probably should be in Connect too. 

Seems the wording just needs to be reworked (or iat removed from this section of Connect) to avoid the contraction.

FWIW, there's also a ton of verbatim duplicate text between the client_secret_jwt and private_key_jwt sections that could probably be consolidated.


This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.

More information about the Openid-specs-ab mailing list