[Openid-specs-ab] [jose] Content-Type for JWT

Brian Campbell bcampbell at pingidentity.com
Wed Dec 3 13:08:55 UTC 2014


I think it's application/jwt per
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-31#section-10.3.1

On Wed, Dec 3, 2014 at 5:11 AM, Prabath Siriwardena <prabath at wso2.com>
wrote:

> Is there a Content-Type defined for JWT already...?
>
> application/json Content-Type won't work - since the structure of the JWT
> is not JSON...
>
> Appreciate a lot any pointers..?
>
> Can we define content type called application/jwt or application/json+jwt
>
> Thanks & regards,
> -Prabath
>
> On Thu, Jun 5, 2014 at 11:13 AM, Prabath Siriwardena <prabath at wso2.com>
> wrote:
>
>> I have the following SOAP use case...
>>
>> 1. Using WS-Trust - I authenticate to the STS - and get a SAML Bearer
>> Token with the required set of claims..
>> 2. I use this as a supporting token to access a SOAP service.
>> 3. SOAP service will validate the signature of the SAML token and if it
>> is valid - I will be able to access it.
>>
>> Now I am thinking of implementing the same in the following manner for
>> REST APIs.
>>
>> 1. Using OpenID Connect talk to the token endpoint with client credential
>> grant type and get a signed ID token with the required set of claims.
>> 2. Set the JWT token in an HTTP header and talk to the secured API.
>> 3. API should validate the signature of the JWT and if its valid and if
>> it trusts the issuer - should let me in.
>>
>> But - I find some limitations in spec to implement my REST use case.
>>
>> 1. OpenID Connect specification does not talk about client credentials
>> grant type ? at the same time it does not say its a MUST to use
>> authorization code or implicit.
>>
>> 2. AFAIK there is no HTTP binding to pass a JWT - please let me know if
>> there is any?
>>
>> Appreciate your thoughts on this...
>>
>>
>> Thanks & Regards,
>> Prabath
>>
>> Twitter : @prabath
>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>>
>> Mobile : +94 71 809 6732
>>
>> http://blog.facilelogin.com
>> http://blog.api-security.org
>>
>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>
> Mobile : +94 71 809 6732
>
> http://blog.facilelogin.com
> http://blog.api-security.org
>
> _______________________________________________
> jose mailing list
> jose at ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20141203/e8538729/attachment.html>


More information about the Openid-specs-ab mailing list