[Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs

Mike Jones Michael.Jones at microsoft.com
Fri Oct 25 23:49:29 UTC 2013


The spec currently says this about JWTs used for client_secret_jwt and private_key_jwt:
jti
REQUIRED. JWT ID. A unique identifier for the token. The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions.

Brian asked us to drop the sentence "The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions" in both cases.

A few questions:

1.       Why is "jti" required?

2.       How do we expect it to normally be used?

3.       Would it be typical for assertions to be for one-time use in our use cases?

4.       How would a client know whether an assertion is for one-time use?

5.       Should "jti" only be present if the assertion is for one-time use?

6.       Should it be required at all?

                                                                -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131025/f626cf34/attachment.html>


More information about the Openid-specs-ab mailing list