<div dir="ltr">Yes the Command Token in OP Commands is explicitly typed (command+jwt) per <a href="https://openid.github.io/openid-provider-commands/main.html#name-cross-jwt-confusion">https://openid.github.io/openid-provider-commands/main.html#name-cross-jwt-confusion</a><div><br></div><div>-Karl</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Thu, Mar 13, 2025 at 11:33 AM Brian Campbell via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">OP Command JWTs are explicitly typed, aren't they? <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 13, 2025 at 12:06 PM george--- via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Hi,<div><br></div><div>As part of OP Commands, a design goal is to re-use the signing mechanisms of the id_tokens in the ecosystem (at least that is my understanding). In looking at the OpenID Connect core spec, it’s not very clear what should be present in the JWT Header object of a signed (JWS) id_token. The examples in the appendix include the ‘kid’ and ‘alg’ claims. </div><div><br></div><div>I’m wondering if it’s possible for the OP Command to be an explicitly typed JWT to make it very clear it is NOT an id_token (rather than relying on presence or absence of a nonce claim) and still use the same keys for signing. It seems to me that the keys used for signing are not in any way bound to only being used for id_tokens and hence could be used for other JWT based structures.</div><div><br></div><div>That might make some of this simpler and allow OP Commands to be extended in a cleaner way than trying to maintain some compatibility to id_tokens.</div><div><br></div><div>Thoughts?</div><div><br></div><div><div>
<div>George Fletcher</div><div>Identity Standards Architect</div><div>Practical Identity LLC</div><div><br></div><br>
</div>
<br></div></div>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>