Thinking about it a bit more, since others may want to use "tid" for claims
with meanings like Transaction ID ( or other words beginning with "t"), maybe
the claim name should be "jti" (JSON web Token ID) to reduce chance of name
collisions?
-- Mike
From: [email protected] [mailto:[email protected]] On Behalf Of Mike
Jones
Sent: Wednesday, November 23, 2011 5:21 PM
To: John Bradley; oauth WG
Subject: Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer
Thanks John. This makes sense to me.
Feedback from others?
-- Mike
From: John Bradley [mailto:[email protected]]<mailto:[mailto:[email protected]]>
Sent: Wednesday, November 23, 2011 5:02 PM
To: oauth WG
Cc: Mike Jones
Subject: Message ID for draft-jones-oauth-jwt-bearer
The
draft-jones-oauth-jwt-bearer<http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-02>
profile is lacking a message ID that exists in the SAML version.
This is important for the receiver to detect replay attacks.
For Connect I made up a claim to use:
tid The tid (token id) claim, A nonce or unique identifier for the assertion.
The Assertion ID may be used by implementations requiring message de-
duplication for one-time use assertions.
I was tempted to use mid (Message ID) however it is the id of the token not the
message.
If you add something I will change the claim to be consistent.
I think it needs to be in your spec.
Regards
John B.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
