Yes, the change controller for "nonce" is the OpenID Foundation's Connect
Working Group (called Artifact Binding Working Group for historical reasons
https://www.iana.org/assignments/jwt/jwt.xhtml). But I don't think there
would be any resistance to an update because it's all basically the same
On Thu, Jun 16, 2022 at 04:18:49PM -0600, Brian Campbell wrote:
> I'm not sure the JWT claims registry has turned out to be exactly what was
> envisioned. And, to your point, the utility of some of the registrations is
> questionable. The issue of name conflicts vs reuse is more subtle than it
>
I guess it is not true in practice … and now I’m going to have go look at
the DPoP usage …
On Thu, Jun 16, 2022 at 2:32 PM Neil Madden
wrote:
> Is that actually true? The DPoP spec itself is a case in point: it reuses
> the existing OIDC “nonce” claim but explicitly says that DPoP nonces are
>
I'm not sure the JWT claims registry has turned out to be exactly what was
envisioned. And, to your point, the utility of some of the registrations is
questionable. The issue of name conflicts vs reuse is more subtle than it
seems. And practically speaking the registry is kind of the only way to
Is that actually true? The DPoP spec itself is a case in point: it reuses the
existing OIDC “nonce” claim but explicitly says that DPoP nonces are not like
OIDC nonces (section 9):
“ Developers should also take care to not
confuse DPoP nonces with the OpenID Connect [OpenID.Core] ID Token
Registering the names provides clarity on use and avoids confusion on the
meaning of a claim — ie two specs won’t have conflicting definitions of
“htm”
On Thu, Jun 16, 2022 at 10:20 AM Warren Parad wrote:
> I think the registration really helps with discovery, especially as an
> implementer.
I think the registration really helps with discovery, especially as an
implementer. When you see or observe these claims in a JWT, you can google
them potentially returning no results. If you know about the IANA registry
you can find them, even if you don't know that the tokens have anything to
do
The DPoP spec registers the “htm”, “htu”, and “ath” claims [1]. But do these
claims actually make sense outside of a DPoP proof? Presumably the risk of
naming collision within a DPoP proof is pretty small, so is there any benefit
to registering them rather than just using them as private