I'm with Tony on this. This seems premature to put into the JWT standard. All the other JWT claims have well established meanings and history behind them. These don't.
If the goal is to allow OpenID Connect implementations to not reject tokens using “cid”, there are lots of other ways to accomplish this that I think we should consider first. -- Mike From: John Bradley Sent: December 19, 2012 6:25 PM To: Anthony Nadalin CC: oauth Subject: Re: [OAUTH-WG] "cid" claim in JWT I agree, audience who requested it and and who it is requested for are all interrelated. However we do need to set down some standard way of expressing it as people are starting to make stuff up on their own that will impact interoperability. If Google starts thawing in cid and clients don't know about it they must reject the JWT etc. John On 2012-12-19, at 9:40 PM, Anthony Nadalin <[email protected]<mailto:[email protected]>> wrote: It seems premature and we should consider this in the bigger context of the “on behalf of”/delegation work that has been started From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Nat Sakimura Sent: Tuesday, December 18, 2012 6:22 PM To: oauth Subject: [OAUTH-WG] "cid" claim in JWT In OpenID Connect WG, we have been talking this for sometime. "cid" claim identifies the entity that the JWT was issued to as a rightful/licensed user. Google already uses this in their implementation of id_token of OIDC. Here is the text proposal. It introduces two new standard claims: "cid" and "cit". It would be very useful in creating a HoK drafts as well. Cheers, Nat 4.1.9. "cid" Client Identification Data Claim The "cid" (client identification data) claim allows the receiver of the JWT to identify the entity that the JWT is intended to be used by. The audience of the JWT MUST be able to identify the client with the value of this claim. The "cid" value is a case sensitive string containing a StringOrURI value. This claim is OPTIONAL. If the entity processing the claim does not identify the user of the JWT with the identifier in the "cid" claim value, then the JWT MUST be rejected. The interpretation of the registered to value is generally application specific. A typical example of a registered to claim includes following: * client_id that the audience can use to authenticate and identify the client. * A base64url encoded JWK. * A URL that points to the key material that the audience can use to authenticate the user of the JWT. 4.1.10 "cit" (Client Identification Data claim type) The "cit" (Client Identification Data claim type) identifies the type of the "cid" claim. It is a StringOrURI value. The defined values are the following: "client_id" The value of the "cid" claim is the Client ID of the client that the audience of the JWT is able to use to authenticate the client. "jwk" The value of the "cid" claim is a base64url encoded JWK of the registered client. "jku" The value of the "cid" claim is the "jku" defined in 4.1.2 of JSON web signature [JWS]. "x5u" The value of the "cid" claim is the URL that points to the public key certificate of the registered client. The format of the content that x5u points to is described in section 4.1.4 of the JSON Web Signature. -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
