[Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs

John Bradley ve7jtb at ve7jtb.com
Sat Oct 26 03:25:35 UTC 2013


Self signed assertions must be single use.  That is the point of using them vs a password.  If you use the same assertion multiple times it is a password. 

There are reasons to re use a third party assertion, but it has the same security as a password. 

Sent from my iPhone

> On Oct 25, 2013, at 7:49 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> 
> The spec currently says this about JWTs used for client_secret_jwt and private_key_jwt:
> jti
> REQUIRED. JWT ID. A unique identifier for the token. The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions.
>  
> Brian asked us to drop the sentence “The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions” in both cases.
>  
> A few questions:
> 1.       Why is “jti” required?
> 2.       How do we expect it to normally be used?
> 3.       Would it be typical for assertions to be for one-time use in our use cases?
> 4.       How would a client know whether an assertion is for one-time use?
> 5.       Should “jti” only be present if the assertion is for one-time use?
> 6.       Should it be required at all?
>  
>                                                                 -- Mike
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131025/80cc44be/attachment.html>


More information about the Openid-specs-ab mailing list