Actually, the JWT BCP (which we were both authors of) does not recommend using
a single media type. Rather, it recommends using a specific media type suffix
in the “typ”
values<https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing>:
When explicit typing is employed for a JWT, it is RECOMMENDED that a media type
name of the format "application/example+jwt" be used, where "example" is
replaced by the identifier for the specific kind of JWT.
SD-JWT is doing the same thing, recommending the use of the media type suffix
“+sd-jwt”.
This enables more fine-grained explicit typing. For instance, when doing
explicit typing for an SD-JWT in the Example use case, the “typ” value would be
“example+sd-jwt”. This can then be distinguished from an SD-JWT for the Other
use case, which would use the “typ” value “other+sd-jwt” – meeting the goal of
explicit typing.
-- Mike
From: Dick Hardt <[email protected]>
Sent: Saturday, September 21, 2024 9:16 AM
To: Daniel Fett <[email protected]>
Cc: [email protected]; [email protected]
Subject: [OAUTH-WG] Re: SD-JWT architecture feedback
…
Explicit Typing
Why leave the typing in the header to be determined by the application (10.11),
and not just be 'sd-jwt' and be REQUIRED?
We had extensive discussions around typing, please refer to the following
issues:
- https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/267
- https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/327
- https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/345
Those issues don't really address the point.
Per RFC 8725: JSON Web Token Best Current Practices
(rfc-editor.org)<https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing>
-- the best practice would be to have a single type that would allow a library
to know it is an SD-JWT. If additional context is needed, perhaps that should
be a different header property?
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
