[Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs
Michael.Jones at microsoft.com
Fri Oct 25 23:49:29 UTC 2013
The spec currently says this about JWTs used for client_secret_jwt and private_key_jwt:
REQUIRED. JWT ID. A unique identifier for the token. The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions.
Brian asked us to drop the sentence "The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions" in both cases.
A few questions:
1. Why is "jti" required?
2. How do we expect it to normally be used?
3. Would it be typical for assertions to be for one-time use in our use cases?
4. How would a client know whether an assertion is for one-time use?
5. Should "jti" only be present if the assertion is for one-time use?
6. Should it be required at all?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab