
<div><span style="background-color:rgb(255,255,255);color:rgb(51,51,51);font-family:sans-serif;font-size:14px;line-height:20px">Amended text. Changed "reg" to "cid". Will post the longest version to the OAuth list, as cutting down is generally easier than adding in the list.</span></div>

<div><div class="codehilite" style="color:rgb(51,51,51);font-family:sans-serif;font-size:14px;line-height:20px;background-color:rgb(255,255,255)"><pre style="font-family:'Bitstream Vera Sans Mono','DejaVu Sans Mono',Monaco,monospace;font-size:12px;line-height:1.4;margin-top:9px;margin-bottom:9px;border:1px solid rgb(204,204,204);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;padding:9px 12px;background-color:rgb(245,245,245);overflow-x:auto">

4<span class="p">.</span>1<span class="p">.</span>9<span class="p">.</span> "<span class="n">cid</span>" <span class="n">Client</span> <span class="n">Identification</span> <span class="n">Data</span> <span class="n">Claim</span>


<span class="n">The</span> "<span class="n">cid</span>" <span class="p">(</span><span class="n">client</span> <span class="n">identification</span> <span class="n">data</span><span class="p">)</span> <span class="n">claim</span> <span class="n">allows</span> <span class="n">the</span> <span class="n">receiver</span> 

<span class="n">of</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">to</span> <span class="n">identify</span> <span class="n">the</span> <span class="n">entity</span> <span class="n">that</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">is</span> 

<span class="n">intended</span> <span class="n">to</span> <span class="n">be</span> <span class="n">used</span> <span class="n">by</span><span class="p">.</span> <span class="n">The</span> <span class="n">audience</span> <span class="n">of</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">MUST</span> <span class="n">be</span> 

<span class="n">able</span> <span class="n">to</span> <span class="n">identify</span> <span class="n">the</span> <span class="n">client</span> <span class="n">with</span> <span class="n">the</span> <span class="n">value</span> <span class="n">of</span> <span class="n">this</span> <span class="n">claim</span><span class="p">.</span>


<span class="n">The</span> "<span class="n">cid</span>" <span class="n">value</span> <span class="n">is</span> <span class="n">a</span> <span class="k" style="color:rgb(0,64,128)">case</span> <span class="n">sensitive</span> <span class="n">string</span> <span class="n">containing</span> <span class="n">a</span> <span class="n">StringOrURI</span> <span class="n">value</span><span class="p">.</span>

<span class="n">This</span> <span class="n">claim</span> <span class="n">is</span> <span class="n">OPTIONAL</span><span class="p">.</span> <span class="n">If</span> <span class="n">the</span> <span class="n">entity</span> <span class="n">processing</span> <span class="n">the</span> <span class="n">claim</span> <span class="n">does</span> <span class="n">not</span> 

<span class="n">identify</span> <span class="n">the</span> <span class="n">user</span> <span class="n">of</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">with</span> <span class="n">the</span> <span class="n">identifier</span> <span class="n">in</span> <span class="n">the</span> "<span class="n">cid</span>" <span class="n">claim</span> <span class="n">value</span><span class="p">,</span> 

<span class="n">then</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">MUST</span> <span class="n">be</span> <span class="n">rejected</span><span class="p">.</span> <span class="n">The</span> <span class="n">interpretation</span> <span class="n">of</span> <span class="n">the</span> <span class="n">registered</span> <span class="n">to</span> 

<span class="n">value</span> <span class="n">is</span> <span class="n">generally</span> <span class="n">application</span> <span class="n">specific</span><span class="p">.</span>


<span class="n">A</span> <span class="n">typical</span> <span class="n">example</span> <span class="n">of</span> <span class="n">a</span> <span class="n">registered</span> <span class="n">to</span> <span class="n">claim</span> <span class="n">includes</span> <span class="n">following</span><span class="p">:</span> 

<span class="o">*</span> <span class="n">client_id</span> <span class="n">that</span> <span class="n">the</span> <span class="n">audience</span> <span class="n">can</span> <span class="n">use</span> <span class="n">to</span> <span class="n">authenticate</span> <span class="n">and</span> 

  <span class="n">identify</span> <span class="n">the</span> <span class="n">client</span><span class="p">.</span>

<span class="o">*</span> <span class="n">A</span> <span class="n">base64url</span> <span class="n">encoded</span> <span class="n">JWK</span><span class="p">.</span> 

<span class="o">*</span> <span class="n">A</span> <span class="n">URL</span> <span class="n">that</span> <span class="n">points</span> <span class="n">to</span> <span class="n">the</span> <span class="n">key</span> <span class="n">material</span> <span class="n">that</span> <span class="n">the</span> <span class="n">audience</span> <span class="n">can</span> <span class="n">use</span> <span class="n">to</span> 

  <span class="n">authenticate</span> <span class="n">the</span> <span class="n">user</span> <span class="n">of</span> <span class="n">the</span> <span class="n">JWT</span><span class="p">.</span>


4<span class="p">.</span>1<span class="p">.</span>10 "<span class="n">cit</span>" <span class="p">(</span><span class="n">Client</span> <span class="n">Identification</span> <span class="n">Data</span> <span class="n">claim</span> <span class="n">type</span><span class="p">)</span>


<span class="n">The</span> "<span class="n">cit</span>" <span class="p">(</span><span class="n">Client</span> <span class="n">Identification</span> <span class="n">Data</span> <span class="n">claim</span> <span class="n">type</span><span class="p">)</span> <span class="n">identifies</span> <span class="n">the</span> <span class="n">type</span> 

<span class="n">of</span> <span class="n">the</span> "<span class="n">cid</span>" <span class="n">claim</span><span class="p">.</span> <span class="n">It</span> <span class="n">is</span> <span class="n">a</span> <span class="n">StringOrURI</span> <span class="n">value</span><span class="p">.</span> <span class="n">The</span> <span class="n">defined</span> <span class="n">values</span> 

<span class="n">are</span> <span class="n">the</span> <span class="n">following</span><span class="p">:</span>


"<span class="n">client_id</span>" <span class="n">The</span> <span class="n">value</span> <span class="n">of</span> <span class="n">the</span> "<span class="n">cid</span>" <span class="n">claim</span> <span class="n">is</span> <span class="n">the</span> <span class="n">Client</span> <span class="n">ID</span> <span class="n">of</span> <span class="n">the</span> <span class="n">client</span> 

<span class="n">that</span> <span class="n">the</span> <span class="n">audience</span> <span class="n">of</span> <span class="n">the</span> <span class="n">JWT</span> <span class="n">is</span> <span class="n">able</span> <span class="n">to</span> <span class="n">use</span> <span class="n">to</span> <span class="n">authenticate</span> <span class="n">the</span> <span class="n">client</span><span class="p">.</span>


"<span class="n">jwk</span>" <span class="n">The</span> <span class="n">value</span> <span class="n">of</span> <span class="n">the</span> "<span class="n">cid</span>" <span class="n">claim</span> <span class="n">is</span> <span class="n">a</span> <span class="n">base64url</span> <span class="n">encoded</span> <span class="n">JWK</span> <span class="n">of</span> 

<span class="n">the</span> <span class="n">registered</span> <span class="n">client</span><span class="p">.</span>


"<span class="n">jku</span>" <span class="n">The</span> <span class="n">value</span> <span class="n">of</span> <span class="n">the</span> "<span class="n">cid</span>" <span class="n">claim</span> <span class="n">is</span> <span class="n">the</span> "<span class="n">jku</span>" <span class="n">defined</span> <span class="n">in</span> 4<span class="p">.</span>1<span class="p">.</span>2 <span class="n">of</span> 

<span class="n">JSON</span> <span class="n">web</span> <span class="n">signature</span> <span class="p">[</span><span class="n">JWS</span><span class="p">].</span>


"<span class="n">x5u</span>" <span class="n">The</span> <span class="n">value</span> <span class="n">of</span> <span class="n">the</span> "<span class="n">cid</span>" <span class="n">claim</span> <span class="n">is</span> <span class="n">the</span> <span class="n">URL</span> <span class="n">that</span> <span class="n">points</span> <span class="n">to</span> <span class="n">the</span> <span class="n">public</span> 

<span class="n">key</span> <span class="n">certificate</span> <span class="n">of</span> <span class="n">the</span> <span class="n">registered</span> <span class="n">client</span><span class="p">.</span> <span class="n">The</span> <span class="n">format</span> <span class="n">of</span> <span class="n">the</span> <span class="n">content</span> 

<span class="n">that</span> <span class="n">x5u</span> <span class="n">points</span> <span class="n">to</span> <span class="n">is</span> <span class="n">described</span> <span class="n">in</span> <span class="n">section</span> 4<span class="p">.</span>1<span class="p">.</span>4 <span class="n">of</span> <span class="n">the</span> <span class="n">JSON</span> <span class="n">Web</span> <span class="n">Signature</span><span class="p">.</span></pre>

</div><br><div class="gmail_quote">On Wed, Dec 12, 2012 at 8:15 AM, Nat Sakimura <span dir="ltr"><<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Oh, that is good to know. That is a real statement of use.�<br><div>I do not have attachment to the claim names.�</div><div>Semantically, cid would be more purpose free than reg.�</div><span class="HOEnZb"><font color="#888888"><div>

<br></div></font></span><div><span class="HOEnZb"><font color="#888888">Nat</font></span><div><div class="h5"><br><br><div class="gmail_quote">

On Wed, Dec 12, 2012 at 1:53 AM, Tim Bray <span dir="ltr"><<a href="mailto:tbray@textuality.com" target="_blank">tbray@textuality.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


Hm, the ID Tokens our OIDC connect endpoint produces currently contain a �cid� claim, which if I understand correctly is used for this.� It�s very useful. �cid� seems slightly more mnemonic.� -Tim<br><br><div class="gmail_quote">


<div><div>

On Mon, Dec 10, 2012 at 5:33 PM, Nat Sakimura <span dir="ltr"><<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div><div>

<p style="line-height:20px;color:rgb(51,51,51);font-size:14px;font-family:sans-serif;margin:0px;word-wrap:break-word;padding:0px">As it was discussed during today's call, here is the concrete proposal that I am making.�</p>


<p style="line-height:20px;color:rgb(51,51,51);font-size:14px;font-family:sans-serif;margin:0px;word-wrap:break-word;padding:0px">I would take them to OAuth ML if you guys agree.�</p><p style="line-height:20px;color:rgb(51,51,51);font-size:14px;font-family:sans-serif;margin:0px;word-wrap:break-word;padding:0px">


<br></p><p style="line-height:20px;color:rgb(51,51,51);font-size:14px;font-family:sans-serif;margin:0px;word-wrap:break-word;padding:0px"></p><p style="margin:0px;padding:0px;word-wrap:break-word">

There are two types: Brief one, and more specified one.</p><p style="margin:0px;padding:0px;word-wrap:break-word"></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b>(Option 1) Really brief one</b></p><div>


<pre style="font-family:'Bitstream Vera Sans Mono','DejaVu Sans Mono',Monaco,monospace;font-size:12px;line-height:1.4;margin-top:9px;margin-bottom:9px;border:1px solid rgb(204,204,204);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;padding:9px 12px;background-color:rgb(245,245,245);overflow-x:auto">

4<span>.</span>1<span>.</span>9<span>.</span> "<span>reg</span>" <span>(</span><span>Registered</span> <span>to</span><span>)</span> <span>Claim</span>


<span>The</span> "<span>reg</span>" <span>(</span><span>registered</span> <span>to</span><span>)</span> <span>claim</span> <span>is</span> <span>the</span> <span>Client</span> <span>ID</span> <span>of</span> <span>the</span> <span>user</span> <span>of</span> <span>the</span> 

<span>JWT</span> <span>that</span> <span>the</span> <span>audience</span> <span>is</span> <span>able</span> <span>to</span> <span>identify</span> <span>the</span> <span>client</span> <span>with</span><span>.</span> 

<span>This</span> <span>claim</span> <span>is</span> <span>OPTIONAL</span><span>.</span>

</pre><div><span><br></span></div></div><p></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b>(Option 2) Brief one</b></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word">Add the following to the JWT.</p>


<div><pre style="font-family:'Bitstream Vera Sans Mono','DejaVu Sans Mono',Monaco,monospace;font-size:12px;line-height:1.4;margin-top:9px;margin-bottom:9px;border:1px solid rgb(204,204,204);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;padding:9px 12px;background-color:rgb(245,245,245);overflow-x:auto">

4<span>.</span>1<span>.</span>9<span>.</span> "<span>reg</span>" <span>(</span><span>Registered</span> <span>to</span><span>)</span> <span>Claim</span>


<span>The</span> "<span>reg</span>" <span>(</span><span>registered</span> <span>to</span><span>)</span> <span>claim</span> <span>identifies</span> <span>the</span> <span>client</span> <span>that</span> <span>the</span> <span>JWT</span> <span>is</span> 

<span>intended</span> <span style="color:rgb(0,64,128)">for</span><span>.</span> <span>The</span> <span>client</span> <span>intended</span> <span>to</span> <span>use</span> <span>the</span> <span>JWT</span> <span>MUST</span> <span>be</span> 

<span>identified</span> by the audience <span>with</span> <span>the</span> <span>value</span> <span>of</span> <span>this</span> <span>claim</span><span>.</span>


<span>The</span> "<span>reg</span>" <span>value</span> <span>is</span> <span>a</span> <span style="color:rgb(0,64,128)">case</span> <span>sensitive</span> <span>string</span> <span>containing</span> <span>a</span> <span>StringOrURI</span> <span>value</span><span>.</span>

<span>This</span> <span>claim</span> <span>is</span> <span>OPTIONAL</span><span>.</span> <span>If</span> <span>the</span> <span>principal</span> <span>processing</span> <span>the</span> <span>claim</span> <span>does</span> <span>not</span> 

<span>identify</span> <span>the</span> <span>user</span> <span>of</span> <span>the</span> <span>JWT</span> <span>with</span> <span>the</span> <span>identifier</span> <span>in</span> <span>the</span> "<span>reg</span>" <span>claim</span> <span>value</span><span>,</span> 

<span>then</span> <span>the</span> <span>JWT</span> <span>MUST</span> <span>be</span> <span>rejected</span><span>.</span> <span>The</span> <span>interpretation</span> <span>of</span> <span>the</span> <span>registered</span> <span>to</span> 

<span>value</span> <span>is</span> <span>generally</span> <span>application</span> <span>specific</span><span>.</span>

</pre></div><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b><br></b></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word"><b>(Option 3) More specified one</b></p><p style="margin:10px 0px;padding:0px;word-wrap:break-word">


Add the following to the JWT.</p><div><pre style="font-family:'Bitstream Vera Sans Mono','DejaVu Sans Mono',Monaco,monospace;font-size:12px;line-height:1.4;margin-top:9px;margin-bottom:9px;border:1px solid rgb(204,204,204);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;padding:9px 12px;background-color:rgb(245,245,245);overflow-x:auto">

4<span>.</span>1<span>.</span>9<span>.</span> "<span>reg</span>" <span>(</span><span>Registered</span> <span>to</span><span>)</span> <span>Claim</span>


<span>The</span> "<span>reg</span>" <span>(</span><span>registered</span> <span>to</span><span>)</span> <span>claim</span> <span>identifies</span> <span>the</span> <span>client</span> <span>that</span> <span>the</span> <span>JWT</span> <span>is</span> 

<span>intended</span> <span style="color:rgb(0,64,128)">for</span><span>.</span> <span>The</span> <span>client</span> <span>intended</span> <span>to</span> <span>use</span> <span>the</span> <span>JWT</span> <span>MUST</span> <span>be</span> 

<span>identified</span> by the audience <span>with</span> <span>the</span> <span>value</span> <span>of</span> <span>this</span> <span>claim</span><span>.</span>


<span>The</span> "<span>reg</span>" <span>value</span> <span>is</span> <span>a</span> <span style="color:rgb(0,64,128)">case</span> <span>sensitive</span> <span>string</span> <span>containing</span> <span>a</span> <span>StringOrURI</span> <span>value</span><span>.</span>

<span>This</span> <span>claim</span> <span>is</span> <span>OPTIONAL</span><span>.</span> <span>If</span> <span>the</span> <span>principal</span> <span>processing</span> <span>the</span> <span>claim</span> <span>does</span> <span>not</span> 

<span>identify</span> <span>the</span> <span>user</span> <span>of</span> <span>the</span> <span>JWT</span> <span>with</span> <span>the</span> <span>identifier</span> <span>in</span> <span>the</span> "<span>reg</span>" <span>claim</span> <span>value</span><span>,</span> 

<span>then</span> <span>the</span> <span>JWT</span> <span>MUST</span> <span>be</span> <span>rejected</span><span>.</span> <span>The</span> <span>interpretation</span> <span>of</span> <span>the</span> <span>registered</span> <span>to</span> 

<span>value</span> <span>is</span> <span>generally</span> <span>application</span> <span>specific</span><span>.</span>


<span>A</span> <span>typical</span> <span>example</span> <span>of</span> <span>a</span> <span>registered</span> <span>to</span> <span>claim</span> <span>includes</span> <span>following</span><span>:</span> 

<span>*</span> <span>A</span> <span>base64url</span> <span>encoded</span> <span>JWK</span><span>.</span> 

<span>*</span> <span>A</span> <span>base64url</span> <span>encoded</span> <span>DER</span><span>.</span> 

<span>*</span> <span>A</span> <span>URL</span> <span>that</span> <span>points</span> <span>to</span> <span>the</span> <span>key</span> <span>material</span> <span>that</span> <span>the</span> <span>audience</span> <span>can</span> <span>use</span> <span>to</span> 

  <span>authenticate</span> <span>the</span> <span>user</span> <span>of</span> <span>the</span> <span>JWT</span><span>.</span> 

<span>*</span> <span>client_id</span> <span>that</span> <span>the</span> <span>audience</span> <span>can</span> <span>use</span> <span>to</span> <span>authenticate</span> <span>and</span> 

  <span>identify</span> <span>the</span> <span>client</span><span>.</span>


4<span>.</span>1<span>.</span>10 "<span>rct</span>" <span>(</span><span>Registered</span> <span>to</span> <span>claim</span> <span>type</span><span>)</span>


<span>The</span> "<span>rct</span>" <span>(</span><span>Registered</span> <span>to</span> <span>claim</span> <span>type</span><span>)</span> <span>identifies</span> <span>the</span> <span>type</span> <span>of</span> <span>the</span> "<span>reg</span>" <span>claim</span><span>.</span> 

<span>It</span> <span>is</span> <span>a</span> <span>StringOrURI</span> <span>value</span><span>.</span> <span>The</span> <span>defined</span> <span>values</span> <span>are</span> <span>the</span> <span>following</span><span>:</span>


"<span>jwk</span>" <span>The</span> <span>value</span> <span>of</span> <span>the</span> "<span>reg</span>" <span>claim</span> <span>is</span> <span>a</span> <span>base64url</span> <span>encoded</span> <span>JWK</span> <span>of</span> 

<span>the</span> <span>registered</span> <span>client</span><span>.</span>


"<span>x5u</span>" <span>The</span> <span>value</span> <span>of</span> <span>the</span> "<span>reg</span>" <span>claim</span> <span>is</span> <span>the</span> <span>URL</span> <span>that</span> <span>points</span> <span>to</span> <span>the</span> <span>public</span> 

<span>key</span> <span>certificate</span> <span>of</span> <span>the</span> <span>registered</span> <span>client</span><span>.</span> <span>The</span> <span>format</span> <span>of</span> <span>the</span> <span>content</span> 

<span>that</span> <span>x5u</span> <span>points</span> <span>to</span> <span>is</span> <span>described</span> <span>in</span> <span>section</span> 4<span>.</span>1<span>.</span>4 <span>of</span> <span>the</span> <span>JSON</span> <span>Web</span> <span>Signature</span><span>.</span>


"<span>client_id</span>" <span>The</span> <span>value</span> <span>of</span> <span>the</span> "<span>reg</span>" <span>claim</span> <span>is</span> <span>the</span> <span>Client</span> <span>ID</span> <span>of</span> <span>the</span> <span>client</span> 

<span>that</span> <span>the</span> <span>audience</span> <span>of</span> <span>the</span> <span>JWT</span> <span>is</span> <span>able</span> <span>to</span> <span>use</span> <span>to</span> <span>authenticate</span> <span>the</span> <span>client</span><span>.</span>

</pre></div><p style="margin:10px 0px;padding:0px;word-wrap:break-word">Alternatively, they can be added to Table 1 of the Messages, but I think it is general enough that it should live in JWT.</p><span><font color="#888888"><p>


</p>-- <br>Nat Sakimura (=nat)<div>

Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div><br>

</font></span><br></div></div>_______________________________________________<br>

Openid-specs-ab mailing list<br>

<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>

<br></blockquote></div><br>

</blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div><br>

</div></div></div>

</blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div><br>

</div>