[OAUTH-WG] Plaintext JWT bug

Thu, 01 Aug 2013 05:19:26 -0700 

It has come to my attention that JWT is using "alg":"none" to create
"Plaintext JWTs".  Some of us in JOSE believe that this "alg" value should
be removed, because of a risk of downgrade attacks.  In order to do that, a
suggested revision to JWT is below.  To summarize:
-- Plaintext JWTs are not JWSs.
-- They just have a header and payload (separated by a '.')
-- The header MUST NOT contain "alg", since there's no crypto going on

Thanks,
--Richard


-----BEGIN-----
6.  Plaintext JWTs

   To support use cases where the JWT content is secured by a means
   other than a signature and/or encryption contained within the JWT
   (such as a signature on a data structure containing the JWT), JWTs
   MAY also be created without a signature or encryption.  A plaintext
   JWT is the concatenation of a base64url-encoded JWT Header, a
   period ('.') character, and the base64url-encoded JWT Claims Set.

   The header of a plaintext JWT contains parameters drawn from the
   set as the JWS header.  However, a JWT header MUST NOT contain an
   "alg" header parameter, since no cryptographic processing is being
   performed.

6.1.  Example Plaintext JWT

   The following example JWT Header declares that the encoded object is
   a Plaintext JWT:

     {"typ":"JWT"}

   Base64url encoding the octets of the UTF-8 representation of the JWT
   Header yields this Encoded JWT Header:

     eyJ0eXAiOiJKV1QifQ

   The following is an example of a JWT Claims Set:

     {"iss":"joe",
      "exp":1300819380,
      "http://example.com/is_root":true}

   Base64url encoding the octets of the UTF-8 representation of the JWT
   Claims Set yields this Encoded JWS Payload (with line breaks for
   display purposes only):

     eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
     cGxlLmNvbS9pc19yb290Ijp0cnVlfQ

   Concatenating these parts in this order with aperiod ('.') character
   between the parts yields this complete JWT (with line breaks for
   display purposes only):

     eyJ0eXAiOiJKV1QifQ
     .
     eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
     cGxlLmNvbS9pc19yb290Ijp0cnVlfQ


-----END-----

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to