
<p style="margin:0px;padding:0px;word-wrap:break-word;color:rgb(51,51,51);font-family:sans-serif;font-size:14px;line-height:20px;background-color:rgb(255,255,255)">As it was discussed during today's call, here is the concrete proposal that I am making. </p>

<p style="margin:0px;padding:0px;word-wrap:break-word;color:rgb(51,51,51);font-family:sans-serif;font-size:14px;line-height:20px;background-color:rgb(255,255,255)">I would take them to OAuth ML if you guys agree. </p><p style="margin:0px;padding:0px;word-wrap:break-word;color:rgb(51,51,51);font-family:sans-serif;font-size:14px;line-height:20px;background-color:rgb(255,255,255)">

<br></p><p style="margin:0px;padding:0px;word-wrap:break-word;color:rgb(51,51,51);font-family:sans-serif;font-size:14px;line-height:20px;background-color:rgb(255,255,255)"></p><p style="margin:0px;padding:0px;word-wrap:break-word">

There are two types: Brief one, and more specified one.</p><p style="margin:0px;padding:0px;word-wrap:break-word"></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b>(Option 1) Really brief one</b></p><div class="codehilite">

<pre style="font-family:'Bitstream Vera Sans Mono','DejaVu Sans Mono',Monaco,monospace;font-size:12px;line-height:1.4;margin-top:9px;margin-bottom:9px;border:1px solid rgb(204,204,204);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;padding:9px 12px;background-color:rgb(245,245,245);overflow-x:auto">

4<span class="p">.</span>1<span class="p">.</span>9<span class="p">.</span> "<span class="n">reg</span>" <span class="p">(</span><span class="n">Registered</span> <span class="n">to</span><span class="p">)</span> <span class="n">Claim</span>


<span class="n">The</span> "<span class="n">reg</span>" <span class="p">(</span><span class="n">registered</span> <span class="n">to</span><span class="p">)</span> <span class="n">claim</span> <span class="n">is</span> <span class="n">the</span> <span class="n">Client</span> <span class="n">ID</span> <span class="n">of</span> <span class="n">the</span> <span class="n">user</span> <span class="n">of</span> <span class="n">the</span> 

<span class="n">JWT</span> <span class="n">that</span> <span class="n">the</span> <span class="n">audience</span> <span class="n">is</span> <span class="n">able</span> <span class="n">to</span> <span class="n">identify</span> <span class="n">the</span> <span class="n">client</span> <span class="n">with</span><span class="p">.</span> 

<span class="n">This</span> <span class="n">claim</span> <span class="n">is</span> <span class="n">OPTIONAL</span><span class="p">.</span>

</pre><div><span class="p"><br></span></div></div><p></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b>(Option 2) Brief one</b></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word">Add the following to the JWT.</p>

<div class="codehilite"><pre style="font-family:'Bitstream Vera Sans Mono','DejaVu Sans Mono',Monaco,monospace;font-size:12px;line-height:1.4;margin-top:9px;margin-bottom:9px;border:1px solid rgb(204,204,204);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;padding:9px 12px;background-color:rgb(245,245,245);overflow-x:auto">

4<span class="p">.</span>1<span class="p">.</span>9<span class="p">.</span> "<span class="n">reg</span>" <span class="p">(</span><span class="n">Registered</span> <span class="n">to</span><span class="p">)</span> <span class="n">Claim</span>


<span class="n">The</span> "<span class="n">reg</span>" <span class="p">(</span><span class="n">registered</span> <span class="n">to</span><span class="p">)</span> <span class="n">claim</span> <span class="n">identifies</span> <span class="n">the</span> <span class="n">client</span> <span class="n">that</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">is</span> 

<span class="n">intended</span> <span class="k" style="color:rgb(0,64,128)">for</span><span class="p">.</span> <span class="n">The</span> <span class="n">client</span> <span class="n">intended</span> <span class="n">to</span> <span class="n">use</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">MUST</span> <span class="n">be</span> 

<span class="n">identified</span> by the audience <span class="n">with</span> <span class="n">the</span> <span class="n">value</span> <span class="n">of</span> <span class="n">this</span> <span class="n">claim</span><span class="p">.</span>


<span class="n">The</span> "<span class="n">reg</span>" <span class="n">value</span> <span class="n">is</span> <span class="n">a</span> <span class="k" style="color:rgb(0,64,128)">case</span> <span class="n">sensitive</span> <span class="n">string</span> <span class="n">containing</span> <span class="n">a</span> <span class="n">StringOrURI</span> <span class="n">value</span><span class="p">.</span>

<span class="n">This</span> <span class="n">claim</span> <span class="n">is</span> <span class="n">OPTIONAL</span><span class="p">.</span> <span class="n">If</span> <span class="n">the</span> <span class="n">principal</span> <span class="n">processing</span> <span class="n">the</span> <span class="n">claim</span> <span class="n">does</span> <span class="n">not</span> 

<span class="n">identify</span> <span class="n">the</span> <span class="n">user</span> <span class="n">of</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">with</span> <span class="n">the</span> <span class="n">identifier</span> <span class="n">in</span> <span class="n">the</span> "<span class="n">reg</span>" <span class="n">claim</span> <span class="n">value</span><span class="p">,</span> 

<span class="n">then</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">MUST</span> <span class="n">be</span> <span class="n">rejected</span><span class="p">.</span> <span class="n">The</span> <span class="n">interpretation</span> <span class="n">of</span> <span class="n">the</span> <span class="n">registered</span> <span class="n">to</span> 

<span class="n">value</span> <span class="n">is</span> <span class="n">generally</span> <span class="n">application</span> <span class="n">specific</span><span class="p">.</span>

</pre></div><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b><br></b></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b>(Option 3) More specified one</b></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word">

Add the following to the JWT.</p><div class="codehilite"><pre style="font-family:'Bitstream Vera Sans Mono','DejaVu Sans Mono',Monaco,monospace;font-size:12px;line-height:1.4;margin-top:9px;margin-bottom:9px;border:1px solid rgb(204,204,204);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;padding:9px 12px;background-color:rgb(245,245,245);overflow-x:auto">

4<span class="p">.</span>1<span class="p">.</span>9<span class="p">.</span> "<span class="n">reg</span>" <span class="p">(</span><span class="n">Registered</span> <span class="n">to</span><span class="p">)</span> <span class="n">Claim</span>


<span class="n">The</span> "<span class="n">reg</span>" <span class="p">(</span><span class="n">registered</span> <span class="n">to</span><span class="p">)</span> <span class="n">claim</span> <span class="n">identifies</span> <span class="n">the</span> <span class="n">client</span> <span class="n">that</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">is</span> 

<span class="n">intended</span> <span class="k" style="color:rgb(0,64,128)">for</span><span class="p">.</span> <span class="n">The</span> <span class="n">client</span> <span class="n">intended</span> <span class="n">to</span> <span class="n">use</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">MUST</span> <span class="n">be</span> 

<span class="n">identified</span> by the audience <span class="n">with</span> <span class="n">the</span> <span class="n">value</span> <span class="n">of</span> <span class="n">this</span> <span class="n">claim</span><span class="p">.</span>


<span class="n">The</span> "<span class="n">reg</span>" <span class="n">value</span> <span class="n">is</span> <span class="n">a</span> <span class="k" style="color:rgb(0,64,128)">case</span> <span class="n">sensitive</span> <span class="n">string</span> <span class="n">containing</span> <span class="n">a</span> <span class="n">StringOrURI</span> <span class="n">value</span><span class="p">.</span>

<span class="n">This</span> <span class="n">claim</span> <span class="n">is</span> <span class="n">OPTIONAL</span><span class="p">.</span> <span class="n">If</span> <span class="n">the</span> <span class="n">principal</span> <span class="n">processing</span> <span class="n">the</span> <span class="n">claim</span> <span class="n">does</span> <span class="n">not</span> 

<span class="n">identify</span> <span class="n">the</span> <span class="n">user</span> <span class="n">of</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">with</span> <span class="n">the</span> <span class="n">identifier</span> <span class="n">in</span> <span class="n">the</span> "<span class="n">reg</span>" <span class="n">claim</span> <span class="n">value</span><span class="p">,</span> 

<span class="n">then</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">MUST</span> <span class="n">be</span> <span class="n">rejected</span><span class="p">.</span> <span class="n">The</span> <span class="n">interpretation</span> <span class="n">of</span> <span class="n">the</span> <span class="n">registered</span> <span class="n">to</span> 

<span class="n">value</span> <span class="n">is</span> <span class="n">generally</span> <span class="n">application</span> <span class="n">specific</span><span class="p">.</span>


<span class="n">A</span> <span class="n">typical</span> <span class="n">example</span> <span class="n">of</span> <span class="n">a</span> <span class="n">registered</span> <span class="n">to</span> <span class="n">claim</span> <span class="n">includes</span> <span class="n">following</span><span class="p">:</span> 

<span class="o">*</span> <span class="n">A</span> <span class="n">base64url</span> <span class="n">encoded</span> <span class="n">JWK</span><span class="p">.</span> 

<span class="o">*</span> <span class="n">A</span> <span class="n">base64url</span> <span class="n">encoded</span> <span class="n">DER</span><span class="p">.</span> 

<span class="o">*</span> <span class="n">A</span> <span class="n">URL</span> <span class="n">that</span> <span class="n">points</span> <span class="n">to</span> <span class="n">the</span> <span class="n">key</span> <span class="n">material</span> <span class="n">that</span> <span class="n">the</span> <span class="n">audience</span> <span class="n">can</span> <span class="n">use</span> <span class="n">to</span> 

  <span class="n">authenticate</span> <span class="n">the</span> <span class="n">user</span> <span class="n">of</span> <span class="n">the</span> <span class="n">JWT</span><span class="p">.</span> 

<span class="o">*</span> <span class="n">client_id</span> <span class="n">that</span> <span class="n">the</span> <span class="n">audience</span> <span class="n">can</span> <span class="n">use</span> <span class="n">to</span> <span class="n">authenticate</span> <span class="n">and</span> 

  <span class="n">identify</span> <span class="n">the</span> <span class="n">client</span><span class="p">.</span>


4<span class="p">.</span>1<span class="p">.</span>10 "<span class="n">rct</span>" <span class="p">(</span><span class="n">Registered</span> <span class="n">to</span> <span class="n">claim</span> <span class="n">type</span><span class="p">)</span>


<span class="n">The</span> "<span class="n">rct</span>" <span class="p">(</span><span class="n">Registered</span> <span class="n">to</span> <span class="n">claim</span> <span class="n">type</span><span class="p">)</span> <span class="n">identifies</span> <span class="n">the</span> <span class="n">type</span> <span class="n">of</span> <span class="n">the</span> "<span class="n">reg</span>" <span class="n">claim</span><span class="p">.</span> 

<span class="n">It</span> <span class="n">is</span> <span class="n">a</span> <span class="n">StringOrURI</span> <span class="n">value</span><span class="p">.</span> <span class="n">The</span> <span class="n">defined</span> <span class="n">values</span> <span class="n">are</span> <span class="n">the</span> <span class="n">following</span><span class="p">:</span>


"<span class="n">jwk</span>" <span class="n">The</span> <span class="n">value</span> <span class="n">of</span> <span class="n">the</span> "<span class="n">reg</span>" <span class="n">claim</span> <span class="n">is</span> <span class="n">a</span> <span class="n">base64url</span> <span class="n">encoded</span> <span class="n">JWK</span> <span class="n">of</span> 

<span class="n">the</span> <span class="n">registered</span> <span class="n">client</span><span class="p">.</span>


"<span class="n">x5u</span>" <span class="n">The</span> <span class="n">value</span> <span class="n">of</span> <span class="n">the</span> "<span class="n">reg</span>" <span class="n">claim</span> <span class="n">is</span> <span class="n">the</span> <span class="n">URL</span> <span class="n">that</span> <span class="n">points</span> <span class="n">to</span> <span class="n">the</span> <span class="n">public</span> 

<span class="n">key</span> <span class="n">certificate</span> <span class="n">of</span> <span class="n">the</span> <span class="n">registered</span> <span class="n">client</span><span class="p">.</span> <span class="n">The</span> <span class="n">format</span> <span class="n">of</span> <span class="n">the</span> <span class="n">content</span> 

<span class="n">that</span> <span class="n">x5u</span> <span class="n">points</span> <span class="n">to</span> <span class="n">is</span> <span class="n">described</span> <span class="n">in</span> <span class="n">section</span> 4<span class="p">.</span>1<span class="p">.</span>4 <span class="n">of</span> <span class="n">the</span> <span class="n">JSON</span> <span class="n">Web</span> <span class="n">Signature</span><span class="p">.</span>


"<span class="n">client_id</span>" <span class="n">The</span> <span class="n">value</span> <span class="n">of</span> <span class="n">the</span> "<span class="n">reg</span>" <span class="n">claim</span> <span class="n">is</span> <span class="n">the</span> <span class="n">Client</span> <span class="n">ID</span> <span class="n">of</span> <span class="n">the</span> <span class="n">client</span> 

<span class="n">that</span> <span class="n">the</span> <span class="n">audience</span> <span class="n">of</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">is</span> <span class="n">able</span> <span class="n">to</span> <span class="n">use</span> <span class="n">to</span> <span class="n">authenticate</span> <span class="n">the</span> <span class="n">client</span><span class="p">.</span>

</pre></div><p style="margin:10px 0px;padding:0px;word-wrap:break-word">Alternatively, they can be added to Table 1 of the Messages, but I think it is general enough that it should live in JWT.</p><p></p>-- <br>Nat Sakimura (=nat)<div>

Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div><br>