The draft-jones-oauth-jwt-bearer profile is lacking a message ID that exists in
the SAML version.
This is important for the receiver to detect replay attacks.
For Connect I made up a claim to use:
tid The tid (token id) claim, A nonce or unique identifier for the assertion.
The Assertion ID may be used by implementations requiring message de-
duplication for one-time use assertions.
I was tempted to use mid (Message ID) however it is the id of the token not the
message.
If you add something I will change the claim to be consistent.
I think it needs to be in your spec.
Regards
John B.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
