<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:70853657;
mso-list-type:hybrid;
mso-list-template-ids:62788356 201916431 201916441 201916443 201916431 201916441 201916443 201916431 201916441 201916443;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">For what it’s worth, I’ve received similar feedback from other parties. We should probably consider changing the description of the request object from being a JWT to being a JWS signed JSON object.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> jose-bounces@ietf.org [mailto:jose-bounces@ietf.org]
<b>On Behalf Of </b>Manger, James H<br>
<b>Sent:</b> Thursday, May 17, 2012 9:49 PM<br>
<b>To:</b> jose@ietf.org<br>
<b>Subject:</b> [jose] Is an OpenID Connect request really a JWT?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-AU">OpenID Connect [<a href="http://openid.net/specs/openid-connect-standard-1_0.html#req_param_method">http://openid.net/specs/openid-connect-standard-1_0.html#req_param_method</a>] says:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU"> “The request parameter is a JWT encoded OpenID Request Object…<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU"> The JWT object MAY be signed or signed and encrypted via JWS and JWE”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU">It gives the example below, which is a JWS with “typ”:”JWT”. The payload is a JSON object with 8 fields (response_type, client_id, redirect_uri, scope, state, nonce, userinfo (with lots of sub-fields), id_token (with
sub-fields)). The payload has none of the 8 reserved claims from the JWT spec (exp, nbf, iat, iss, aud, prn, jti, typ).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU">Can we really call that a JWT?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU">It seems implausible that the 8 fields in this example (response_type…) are supposed to be treated as “Private Claim Names” as per the JWT spec.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU">We have two totally separate ideas both being called “JWT”.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span lang="EN-AU"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-AU">JSON object carrying a bunch of claims.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span lang="EN-AU"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-AU">A base64-based way to package any blob of bytes in unprotected, signed, or encrypted forms.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU">Suggestion: use “JWT” for #2; pick a new name for #1 (perhaps JSON Claim Set); lots of changes to spec text.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU"><o:p> </o:p></span></p>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black">JWT algorithm = HS256<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black">HMAC HASH Key = 'aaa'<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"><o:p> </o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black">JSON Encoded Header = "{"alg":"HS256","typ":"JWT"}"<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black">JSON Encoded Payload = "{"response_type":"code id_token",<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> "client_id":"s6BhdRkqt3",<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> "redirect_uri":"<a href="https://client.example.com/cb">https://client.example.com/cb</a>",<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> "scope":"openid profile",<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> "state":"af0ifjsldkj",<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> "nonce":"n-0S6_WzA2Mj",<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> "userinfo":{"claims":{"name":null,"nickname":{"optional":true},<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> "email":null,"verified":null,<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> "picture":{"optional":true}}},<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> "id_token":{"max_age":86400,"claims":{"acr":{"values":["2"]}}}<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"><o:p> </o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black">JWT = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZ<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> SBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtxdDMiLCJyZWRpcmVjdF91cmkiO<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> iJodHRwczpcL1wvY2xpZW50LmV4YW1wbGUuY29tXC9jYiIsInNjb3BlIjoib3BlbmlkI<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> HByb2ZpbGUiLCJzdGF0ZSI6ImFmMGlmanNsZGtqIiwibm9uY2UiOiJuLTBTNl9XekEyT<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> WoiLCJ1c2VyaW5mbyI6eyJjbGFpbXMiOnsibmFtZSI6bnVsbCwibmlja25hbWUiOnsib<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> 3B0aW9uYWwiOnRydWV9LCJlbWFpbCI6bnVsbCwidmVyaWZpZWQiOm51bGwsInBpY3R1c<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> mUiOnsib3B0aW9uYWwiOnRydWV9fX0sImlkX3Rva2VuIjp7Im1heF9hZ2UiOjg2NDAwL<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> CJjbGFpbXMiOnsiYWNyIjp7InZhbHVlcyI6WyIyIl19fX19.ou2Yc1B9a5iZLqbzBxE9<o:p></o:p></span></pre>
<pre style="background:#CCCCCC"><span lang="EN-AU" style="font-size:12.0pt;color:black"> 5aNS0pSfRClCqM77n85ehGo<o:p></o:p></span></pre>
<p class="MsoNormal"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU">--<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU">James Manger<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU"><o:p> </o:p></span></p>
</div>
</body>
</html>