JWT is designed to be used with OAuth and openID Connect. There is a IETF WG being created to standardize the signing and encryption for JWT and other JSON tokens.
John B. > A new IETF working group has been proposed in the Security Area. The > IESG has not made any determination as yet. The following draft charter > was submitted, and is provided for informational purposes only. Please > send your comments to the IESG mailing list ([email protected]) by Tuesday, > September 6, 2011 > > Javascript Object Signing and Encryption (jose) > ================================================= > Status: Proposed Working Group > Last updated: 2011-08-18 > > Chairs > TBD > > Security Area Directors: > Stephen Farrell <[email protected]> > Sean Turner <[email protected]> > > Security Area Advisor: > Sean Turner <[email protected]> > > Mailing Lists: > General Discussion: [email protected] > To Subscribe: <https://www.ietf.org/mailman/listinfo/jose> > Archive: <http://www.ietf.org/mail-archive/web/jose/> On 2011-08-31, at 7:48 PM, Brian Campbell wrote: > JWT is definitely not at odds with OAuth. I guess you could say JWT > is potentially complementary in a number of ways (they can be used > together but don't need to be). Though I'm not aware > of any spec work around it, I suspect many will chose to use JWT as a > bearer access token format. JWTs can also be used as an OAuth grant > type [1] which is based on similar functionality for SAML tokens [2]. > > [1] http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer > [2] http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer > > > On Wed, Aug 31, 2011 at 3:15 PM, Justin Karneges <[email protected]> wrote: >> On Wednesday, August 31, 2011 02:05:58 PM George Fletcher wrote: >>> You could also use a signed JWT returned by the resource owner (web >>> site) to be presented to the resource server (widget provider) that the >>> resource server can validate (e.g. verify the signature). The JWT can >>> contain scopes, expiry time, etc as needed. If the widget provider needs >>> to access services at the resource owner, the JWT can contain an >>> appropriate access_token for the user. >> >> Interesting, I was not aware of JSON Web Tokens until now. Is there a >> relationship to OAuth? Are they at odds or serve different purposes? >> >> Justin >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
