JWT defines a number of standard claims that are used in this application, including "iss" (issuer), "aud" (audience), etc. Making the requests a JWT allows code reuse, rather than having an application-specific signed request representation that has many of the semantics and fields of a JWT anyway..
It's also worth noting that this practice has been a standard since 2014. OpenID Connect Core standardized the OAuth signed request format in https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests. The draft-ietf-oauth-jwsreq<https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17> spec is the OAuth-only version of this already standard and deployed practice. (There's other precedents for OAuth subsetting standard OpenID Connect functionality. For instance, RFC 8414<https://tools.ietf.org/html/rfc8414> is the OAuth-specific subset of the metadata format defined by OpenID Connect Discovery<https://openid.net/specs/openid-connect-discovery-1_0.html>.) -- Mike -----Original Message----- From: OAuth <[email protected]> On Behalf Of Jim Schaad Sent: Wednesday, October 31, 2018 8:33 AM To: [email protected] Cc: 'oauth' <[email protected]> Subject: [OAUTH-WG] Mail regarding draft-ietf-oauth-jwsreq As part of looking at the issues of using CWTs for this purpose I did some more reading of the document. I am having a problem with the understanding the reasons for using JWT as opposed to just saying that you are going to use JWS and JWE. There is nothing in this section that I can see that points to a reason to be using JWTs as the carrier. What am I missing? Jim _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
