Is there a Content-Type defined for JWT already...? application/json Content-Type won't work - since the structure of the JWT is not JSON...
Appreciate a lot any pointers..? Can we define content type called application/jwt or application/json+jwt Thanks & regards, -Prabath On Thu, Jun 5, 2014 at 11:13 AM, Prabath Siriwardena <[email protected]> wrote: > I have the following SOAP use case... > > 1. Using WS-Trust - I authenticate to the STS - and get a SAML Bearer > Token with the required set of claims.. > 2. I use this as a supporting token to access a SOAP service. > 3. SOAP service will validate the signature of the SAML token and if it is > valid - I will be able to access it. > > Now I am thinking of implementing the same in the following manner for > REST APIs. > > 1. Using OpenID Connect talk to the token endpoint with client credential > grant type and get a signed ID token with the required set of claims. > 2. Set the JWT token in an HTTP header and talk to the secured API. > 3. API should validate the signature of the JWT and if its valid and if it > trusts the issuer - should let me in. > > But - I find some limitations in spec to implement my REST use case. > > 1. OpenID Connect specification does not talk about client credentials > grant type ? at the same time it does not say its a MUST to use > authorization code or implicit. > > 2. AFAIK there is no HTTP binding to pass a JWT - please let me know if > there is any? > > Appreciate your thoughts on this... > > > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://blog.api-security.org > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +94 71 809 6732 http://blog.facilelogin.com http://blog.api-security.org
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
