[Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs
ve7jtb at ve7jtb.com
Sat Oct 26 03:25:35 UTC 2013
Self signed assertions must be single use. That is the point of using them vs a password. If you use the same assertion multiple times it is a password.
There are reasons to re use a third party assertion, but it has the same security as a password.
Sent from my iPhone
> On Oct 25, 2013, at 7:49 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> The spec currently says this about JWTs used for client_secret_jwt and private_key_jwt:
> REQUIRED. JWT ID. A unique identifier for the token. The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions.
> Brian asked us to drop the sentence “The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions” in both cases.
> A few questions:
> 1. Why is “jti” required?
> 2. How do we expect it to normally be used?
> 3. Would it be typical for assertions to be for one-time use in our use cases?
> 4. How would a client know whether an assertion is for one-time use?
> 5. Should “jti” only be present if the assertion is for one-time use?
> 6. Should it be required at all?
> -- Mike
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab