[Openid-specs-ab] [jose] Content-Type for JWT

Prabath Siriwardena prabath at wso2.com
Wed Dec 3 13:27:18 UTC 2014


Great..! Thanks Brian..

Thanks & regards,
-Prabath

On Wed, Dec 3, 2014 at 6:38 PM, Brian Campbell <bcampbell at pingidentity.com>
wrote:

> I think it's application/jwt per
> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-31#section-10.3.1
>
> On Wed, Dec 3, 2014 at 5:11 AM, Prabath Siriwardena <prabath at wso2.com>
> wrote:
>
>> Is there a Content-Type defined for JWT already...?
>>
>> application/json Content-Type won't work - since the structure of the JWT
>> is not JSON...
>>
>> Appreciate a lot any pointers..?
>>
>> Can we define content type called application/jwt or application/json+jwt
>>
>> Thanks & regards,
>> -Prabath
>>
>> On Thu, Jun 5, 2014 at 11:13 AM, Prabath Siriwardena <prabath at wso2.com>
>> wrote:
>>
>>> I have the following SOAP use case...
>>>
>>> 1. Using WS-Trust - I authenticate to the STS - and get a SAML Bearer
>>> Token with the required set of claims..
>>> 2. I use this as a supporting token to access a SOAP service.
>>> 3. SOAP service will validate the signature of the SAML token and if it
>>> is valid - I will be able to access it.
>>>
>>> Now I am thinking of implementing the same in the following manner for
>>> REST APIs.
>>>
>>> 1. Using OpenID Connect talk to the token endpoint with client
>>> credential grant type and get a signed ID token with the required set of
>>> claims.
>>> 2. Set the JWT token in an HTTP header and talk to the secured API.
>>> 3. API should validate the signature of the JWT and if its valid and if
>>> it trusts the issuer - should let me in.
>>>
>>> But - I find some limitations in spec to implement my REST use case.
>>>
>>> 1. OpenID Connect specification does not talk about client credentials
>>> grant type ? at the same time it does not say its a MUST to use
>>> authorization code or implicit.
>>>
>>> 2. AFAIK there is no HTTP binding to pass a JWT - please let me know if
>>> there is any?
>>>
>>> Appreciate your thoughts on this...
>>>
>>>
>>> Thanks & Regards,
>>> Prabath
>>>
>>> Twitter : @prabath
>>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>>>
>>> Mobile : +94 71 809 6732
>>>
>>> http://blog.facilelogin.com
>>> http://blog.api-security.org
>>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> Twitter : @prabath
>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>>
>> Mobile : +94 71 809 6732
>>
>> http://blog.facilelogin.com
>> http://blog.api-security.org
>>
>> _______________________________________________
>> jose mailing list
>> jose at ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>>
>


-- 
Thanks & Regards,
Prabath

Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://blog.api-security.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20141203/c9d85d9a/attachment-0001.html>


More information about the Openid-specs-ab mailing list