Thanks John. This makes sense to me.
Feedback from others?
-- Mike
From: John Bradley [mailto:[email protected]]
Sent: Wednesday, November 23, 2011 5:02 PM
To: oauth WG
Cc: Mike Jones
Subject: Message ID for draft-jones-oauth-jwt-bearer
The
draft-jones-oauth-jwt-bearer<http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-02>
profile is lacking a message ID that exists in the SAML version.
This is important for the receiver to detect replay attacks.
For Connect I made up a claim to use:
tid The tid (token id) claim, A nonce or unique identifier for the assertion.
The Assertion ID may be used by implementations requiring message de-
duplication for one-time use assertions.
I was tempted to use mid (Message ID) however it is the id of the token not the
message.
If you add something I will change the claim to be consistent.
I think it needs to be in your spec.
Regards
John B.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
