< draft-ietf-oauth-json-web-token-02.txt   draft-ietf-oauth-json-web-token-03.txt >
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: January 17, 2013 Ping Identity Expires: January 31, 2013 Ping Identity
N. Sakimura N. Sakimura
NRI NRI
July 16, 2012 July 30, 2012
JSON Web Token (JWT) JSON Web Token (JWT)
draft-ietf-oauth-json-web-token-02 draft-ietf-oauth-json-web-token-03
Abstract Abstract
JSON Web Token (JWT) is a means of representing claims to be JSON Web Token (JWT) is a means of representing claims to be
transferred between two parties. The claims in a JWT are encoded as transferred between two parties. The claims in a JWT are encoded as
a JavaScript Object Notation (JSON) object that is digitally signed a JavaScript Object Notation (JSON) object that is digitally signed
or MACed using JSON Web Signature (JWS) and/or encrypted using JSON or MACed using JSON Web Signature (JWS) and/or encrypted using JSON
Web Encryption (JWE). Web Encryption (JWE).
The suggested pronunciation of JWT is the same as the English word The suggested pronunciation of JWT is the same as the English word
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 17, 2013. This Internet-Draft will expire on January 31, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 15 skipping to change at page 3, line 15
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. JSON Web Token (JWT) Overview . . . . . . . . . . . . . . . . 6 3. JSON Web Token (JWT) Overview . . . . . . . . . . . . . . . . 6
3.1. Example JWT . . . . . . . . . . . . . . . . . . . . . . . 7 3.1. Example JWT . . . . . . . . . . . . . . . . . . . . . . . 7
4. JWT Claims . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. JWT Claims . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.1. Reserved Claim Names . . . . . . . . . . . . . . . . . . . 8 4.1. Reserved Claim Names . . . . . . . . . . . . . . . . . . . 8
4.1.1. "exp" (Expiration Time) Claim . . . . . . . . . . . . 8 4.1.1. "exp" (Expiration Time) Claim . . . . . . . . . . . . 8
4.1.2. "nbf" (Not Before) Claim . . . . . . . . . . . . . . . 8 4.1.2. "nbf" (Not Before) Claim . . . . . . . . . . . . . . . 9
4.1.3. "iat" (Issued At) Claim . . . . . . . . . . . . . . . 9 4.1.3. "iat" (Issued At) Claim . . . . . . . . . . . . . . . 9
4.1.4. "iss" (Issuer) Claim . . . . . . . . . . . . . . . . . 9 4.1.4. "iss" (Issuer) Claim . . . . . . . . . . . . . . . . . 9
4.1.5. "aud" (Audience) Claim . . . . . . . . . . . . . . . . 9 4.1.5. "aud" (Audience) Claim . . . . . . . . . . . . . . . . 9
4.1.6. "prn" (Principal) Claim . . . . . . . . . . . . . . . 9 4.1.6. "prn" (Principal) Claim . . . . . . . . . . . . . . . 9
4.1.7. "jti" (JWT ID) Claim . . . . . . . . . . . . . . . . . 9 4.1.7. "jti" (JWT ID) Claim . . . . . . . . . . . . . . . . . 10
4.1.8. "typ" (Type) Claim . . . . . . . . . . . . . . . . . . 10 4.1.8. "typ" (Type) Claim . . . . . . . . . . . . . . . . . . 10
4.2. Public Claim Names . . . . . . . . . . . . . . . . . . . . 10 4.2. Public Claim Names . . . . . . . . . . . . . . . . . . . . 10
4.3. Private Claim Names . . . . . . . . . . . . . . . . . . . 10 4.3. Private Claim Names . . . . . . . . . . . . . . . . . . . 10
5. JWT Header . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. JWT Header . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. "typ" (Type) Header Parameter . . . . . . . . . . . . . . 10 5.1. "typ" (Type) Header Parameter . . . . . . . . . . . . . . 11
5.2. "cty" (Content Type) Header Parameter . . . . . . . . . . 11 5.2. "cty" (Content Type) Header Parameter . . . . . . . . . . 11
6. Plaintext JWTs . . . . . . . . . . . . . . . . . . . . . . . . 11 6. Plaintext JWTs . . . . . . . . . . . . . . . . . . . . . . . . 11
6.1. Example Plaintext JWT . . . . . . . . . . . . . . . . . . 11 6.1. Example Plaintext JWT . . . . . . . . . . . . . . . . . . 11
7. Rules for Creating and Validating a JWT . . . . . . . . . . . 12 7. Rules for Creating and Validating a JWT . . . . . . . . . . . 12
8. Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . 14 8. Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . 14
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
9.1. JSON Web Token Claims Registry . . . . . . . . . . . . . . 15 9.1. JSON Web Token Claims Registry . . . . . . . . . . . . . . 15
9.1.1. Registration Template . . . . . . . . . . . . . . . . 15 9.1.1. Registration Template . . . . . . . . . . . . . . . . 16
9.1.2. Initial Registry Contents . . . . . . . . . . . . . . 16 9.1.2. Initial Registry Contents . . . . . . . . . . . . . . 16
9.2. Sub-Namespace Registration of 9.2. Sub-Namespace Registration of
urn:ietf:params:oauth:token-type:jwt . . . . . . . . . . . 17 urn:ietf:params:oauth:token-type:jwt . . . . . . . . . . . 17
9.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 17 9.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 17
9.3. JSON Web Signature and Encryption Type Values 9.3. JSON Web Signature and Encryption Type Values
Registration . . . . . . . . . . . . . . . . . . . . . . . 17 Registration . . . . . . . . . . . . . . . . . . . . . . . 17
9.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 17 9.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 17
9.4. Media Type Registration . . . . . . . . . . . . . . . . . 17 9.4. Media Type Registration . . . . . . . . . . . . . . . . . 18
9.4.1. Registry Contents . . . . . . . . . . . . . . . . . . 17 9.4.1. Registry Contents . . . . . . . . . . . . . . . . . . 18
10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 10. Security Considerations . . . . . . . . . . . . . . . . . . . 19
11. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 19 11. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 19
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
12.1. Normative References . . . . . . . . . . . . . . . . . . . 19 12.1. Normative References . . . . . . . . . . . . . . . . . . . 19
12.2. Informative References . . . . . . . . . . . . . . . . . . 20 12.2. Informative References . . . . . . . . . . . . . . . . . . 20
Appendix A. Example Encrypted JWT . . . . . . . . . . . . . . . . 21 Appendix A. Example Encrypted JWT . . . . . . . . . . . . . . . . 21
Appendix B. Relationship of JWTs to SAML Tokens . . . . . . . . . 22 Appendix B. Relationship of JWTs to SAML Tokens . . . . . . . . . 22
Appendix C. Relationship of JWTs to Simple Web Tokens (SWTs) . . 22 Appendix C. Relationship of JWTs to Simple Web Tokens (SWTs) . . 22
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 22 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 23
Appendix E. Document History . . . . . . . . . . . . . . . . . . 23 Appendix E. Document History . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
JSON Web Token (JWT) is a compact token format intended for space JSON Web Token (JWT) is a compact token format intended for space
constrained environments such as HTTP Authorization headers and URI constrained environments such as HTTP Authorization headers and URI
query parameters. JWTs encode claims to be transmitted as a query parameters. JWTs encode claims to be transmitted as a
JavaScript Object Notation (JSON) [RFC4627] object that is base64url JavaScript Object Notation (JSON) [RFC4627] object that is base64url
encoded and digitally signed or MACed and/or encrypted. Signing and encoded and digitally signed or MACed and/or encrypted. Signing and
MACing is performed using JSON Web Signature (JWS) [JWS]. Encryption MACing is performed using JSON Web Signature (JWS) [JWS]. Encryption
is performed using JSON Web Encryption (JWE) [JWE]. is performed using JSON Web Encryption (JWE) [JWE].
skipping to change at page 6, line 36 skipping to change at page 6, line 36
functions. Examples of Collision Resistant Namespaces include: functions. Examples of Collision Resistant Namespaces include:
Domain Names, Object Identifiers (OIDs) as defined in the ITU-T Domain Names, Object Identifiers (OIDs) as defined in the ITU-T
X.660 and X.670 Recommendation series, and Universally Unique X.660 and X.670 Recommendation series, and Universally Unique
IDentifiers (UUIDs) [RFC4122]. When using an administratively IDentifiers (UUIDs) [RFC4122]. When using an administratively
delegated namespace, the definer of a name needs to take delegated namespace, the definer of a name needs to take
reasonable precautions to ensure they are in control of the reasonable precautions to ensure they are in control of the
portion of the namespace they use to define the name. portion of the namespace they use to define the name.
StringOrURI A JSON string value, with the additional requirement StringOrURI A JSON string value, with the additional requirement
that while arbitrary string values MAY be used, any value that while arbitrary string values MAY be used, any value
containing a ":" character MUST be a URI [RFC3986]. containing a ":" character MUST be a URI [RFC3986]. StringOrURI
values are compared as case-sensitive strings with no
transformations or canonicalizations applied.
IntDate A JSON numeric value representing the number of seconds from IntDate A JSON numeric value representing the number of seconds from
1970-01-01T0:0:0Z UTC until the specified UTC date/time. See RFC 1970-01-01T0:0:0Z UTC until the specified UTC date/time. See RFC
3339 [RFC3339] for details regarding date/times in general and UTC 3339 [RFC3339] for details regarding date/times in general and UTC
in particular. in particular.
3. JSON Web Token (JWT) Overview 3. JSON Web Token (JWT) Overview
JWTs represent a set of claims as a JSON object that is base64url JWTs represent a set of claims as a JSON object that is base64url
encoded and digitally signed or MACed and/or encrypted. The JWT encoded and digitally signed or MACed and/or encrypted. The JWT
skipping to change at page 7, line 26 skipping to change at page 7, line 28
Header, the claims are encrypted. Header, the claims are encrypted.
A JWT is represented as a JWS or JWE. The number of parts is A JWT is represented as a JWS or JWE. The number of parts is
dependent upon the representation of the resulting JWS or JWE. dependent upon the representation of the resulting JWS or JWE.
3.1. Example JWT 3.1. Example JWT
The following example JWT Header declares that the encoded object is The following example JWT Header declares that the encoded object is
a JSON Web Token (JWT) and the JWT is MACed using the HMAC SHA-256 a JSON Web Token (JWT) and the JWT is MACed using the HMAC SHA-256
algorithm: algorithm:
{"typ":"JWT",
"alg":"HS256"} {"typ":"JWT",
"alg":"HS256"}
Base64url encoding the bytes of the UTF-8 representation of the JWT Base64url encoding the bytes of the UTF-8 representation of the JWT
Header yields this Encoded JWS Header value, which is used as the Header yields this Encoded JWS Header value, which is used as the
Encoded JWT Header: Encoded JWT Header:
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
The following is an example of a JWT Claims Set: The following is an example of a JWT Claims Set:
{"iss":"joe",
"exp":1300819380, {"iss":"joe",
"http://example.com/is_root":true} "exp":1300819380,
"http://example.com/is_root":true}
Base64url encoding the bytes of the UTF-8 representation of the JSON Base64url encoding the bytes of the UTF-8 representation of the JSON
Claims Set yields this Encoded JWS Payload (with line breaks for Claims Set yields this Encoded JWS Payload (with line breaks for
display purposes only): display purposes only):
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly
9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly
9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
Signing the Encoded JWS Header and Encoded JWS Payload with the HMAC Signing the Encoded JWS Header and Encoded JWS Payload with the HMAC
SHA-256 algorithm and base64url encoding the signature in the manner SHA-256 algorithm and base64url encoding the signature in the manner
specified in [JWS], yields this Encoded JWS Signature: specified in [JWS], yields this Encoded JWS Signature:
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Concatenating these parts in this order with period characters Concatenating these parts in this order with period characters
between the parts yields this complete JWT (with line breaks for between the parts yields this complete JWT (with line breaks for
display purposes only): display purposes only):
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
. .
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
cGxlLmNvbS9pc19yb290Ijp0cnVlfQ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
. .
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
This computation is illustrated in more detail in [JWS], Appendix This computation is illustrated in more detail in [JWS], Appendix
A.1. See Appendix A for an example of an encrypted JWT. A.1. See Appendix A for an example of an encrypted JWT.
4. JWT Claims 4. JWT Claims
The JWT Claims Set represents a JSON object whose members are the The JWT Claims Set represents a JSON object whose members are the
claims conveyed by the JWT. The Claim Names within this object MUST claims conveyed by the JWT. The Claim Names within this object MUST
be unique; JWTs with duplicate Claim Names MUST be rejected. Note be unique; JWTs with duplicate Claim Names MUST be rejected. Note
however, that the set of claims that a JWT must contain to be however, that the set of claims that a JWT must contain to be
skipping to change at page 11, line 35 skipping to change at page 11, line 44
(such as a signature on a data structure containing the token), JWTs (such as a signature on a data structure containing the token), JWTs
MAY also be created without a signature or encryption. A plaintext MAY also be created without a signature or encryption. A plaintext
JWT is a JWS using the "none" JWS "alg" header parameter value JWT is a JWS using the "none" JWS "alg" header parameter value
defined in JSON Web Algorithms (JWA) [JWA]; it is a JWS with an empty defined in JSON Web Algorithms (JWA) [JWA]; it is a JWS with an empty
JWS Signature value. JWS Signature value.
6.1. Example Plaintext JWT 6.1. Example Plaintext JWT
The following example JWT Header declares that the encoded object is The following example JWT Header declares that the encoded object is
a Plaintext JWT: a Plaintext JWT:
{"alg":"none"}
{"alg":"none"}
Base64url encoding the bytes of the UTF-8 representation of the JWT Base64url encoding the bytes of the UTF-8 representation of the JWT
Header yields this Encoded JWT Header: Header yields this Encoded JWT Header:
eyJhbGciOiJub25lIn0
eyJhbGciOiJub25lIn0
The following is an example of a JWT Claims Set: The following is an example of a JWT Claims Set:
{"iss":"joe",
"exp":1300819380, {"iss":"joe",
"http://example.com/is_root":true} "exp":1300819380,
"http://example.com/is_root":true}
Base64url encoding the bytes of the UTF-8 representation of the JSON Base64url encoding the bytes of the UTF-8 representation of the JSON
Claims Set yields this Encoded JWS Payload (with line breaks for Claims Set yields this Encoded JWS Payload (with line breaks for
display purposes only): display purposes only):
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
cGxlLmNvbS9pc19yb290Ijp0cnVlfQ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
The Encoded JWS Signature is the empty string. The Encoded JWS Signature is the empty string.
Concatenating these parts in this order with period characters Concatenating these parts in this order with period characters
between the parts yields this complete JWT (with line breaks for between the parts yields this complete JWT (with line breaks for
display purposes only): display purposes only):
eyJhbGciOiJub25lIn0
. eyJhbGciOiJub25lIn0
eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt .
cGxlLmNvbS9pc19yb290Ijp0cnVlfQ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
. cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
.
7. Rules for Creating and Validating a JWT 7. Rules for Creating and Validating a JWT
To create a JWT, one MUST perform these steps. The order of the To create a JWT, one MUST perform these steps. The order of the
steps is not significant in cases where there are no dependencies steps is not significant in cases where there are no dependencies
between the inputs and outputs of the steps. between the inputs and outputs of the steps.
1. Create a JWT Claims Set containing the desired claims. Note that 1. Create a JWT Claims Set containing the desired claims. Note that
white space is explicitly allowed in the representation and no white space is explicitly allowed in the representation and no
canonicalization is performed before encoding. canonicalization is performed before encoding.
skipping to change at page 19, line 23 skipping to change at page 19, line 35
The following items remain to be considered or done in this draft: The following items remain to be considered or done in this draft:
o Track changes to the underlying JOSE specifications. o Track changes to the underlying JOSE specifications.
12. References 12. References
12.1. Normative References 12.1. Normative References
[I-D.ietf-oauth-urn-sub-ns] [I-D.ietf-oauth-urn-sub-ns]
Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace
for OAuth", draft-ietf-oauth-urn-sub-ns-05 (work in for OAuth", draft-ietf-oauth-urn-sub-ns-06 (work in
progress), June 2012. progress), July 2012.
[JWA] Jones, M., "JSON Web Algorithms (JWA)", July 2012. [JWA] Jones, M., "JSON Web Algorithms (JWA)", July 2012.
[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web
Encryption (JWE)", July 2012. Encryption (JWE)", July 2012.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", July 2012. Signature (JWS)", July 2012.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
skipping to change at page 21, line 30 skipping to change at page 21, line 42
o the Plaintext is encrypted using the AES CBC algorithm with a 128 o the Plaintext is encrypted using the AES CBC algorithm with a 128
bit key to produce the Ciphertext, bit key to produce the Ciphertext,
o the JWE Integrity Value safeguarding the integrity of the o the JWE Integrity Value safeguarding the integrity of the
Ciphertext and the parameters used to create it was computed with Ciphertext and the parameters used to create it was computed with
the HMAC SHA-256 algorithm, and the HMAC SHA-256 algorithm, and
o the 128 bit Initialization Vector (IV) with the base64url encoding o the 128 bit Initialization Vector (IV) with the base64url encoding
"AxY8DCtDaGlsbGljb3RoZQ" was used. "AxY8DCtDaGlsbGljb3RoZQ" was used.
{"alg":"RSA1_5","enc":"A128CBC","int":"HS256","iv":"AxY8DCtDaGls {"alg":"RSA1_5","enc":"A128CBC","int":"HS256","iv":"AxY8DCtDaGls
bGljb3RoZQ"} bGljb3RoZQ"}
Other than using the bytes of the UTF-8 representation of the JSON Other than using the bytes of the UTF-8 representation of the JSON
Claims Set from Section 3.1 as the plaintext value, the computation Claims Set from Section 3.1 as the plaintext value, the computation
of this JWT is identical to the computation of the JWE in Appendix of this JWT is identical to the computation of the JWE in Appendix
A.2 of [JWE], including the keys used. A.2 of [JWE], including the keys used.
The final result in this example (with line breaks for display The final result in this example (with line breaks for display
purposes only) is: purposes only) is:
eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDIiwiaW50IjoiSFMyNTYiLCJp
diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ. diI6IkF4WThEQ3REYUdsc2JHbGpiM1JvWlEifQ.
VjBkk22MjrFUMUl8ItbS8CjKjku4HQz4RiHD0eVG4dir-7XbDkPr1q6YtnN1X-av VjBkk22MjrFUMUl8ItbS8CjKjku4HQz4RiHD0eVG4dir-7XbDkPr1q6YtnN1X-av
1EKmEnsrbhSxTvqtY4oEbWKLoEQ7zVm_0BW-rnwxdwrj4QJrhXGnqIL6bC4waZVJ 1EKmEnsrbhSxTvqtY4oEbWKLoEQ7zVm_0BW-rnwxdwrj4QJrhXGnqIL6bC4waZVJ
qYhVQIahVWSQsCRcS1oYXA-2GhT6rk91y118DUkhGDsvdK2_hQsNGE6BQVN1i-Xw qYhVQIahVWSQsCRcS1oYXA-2GhT6rk91y118DUkhGDsvdK2_hQsNGE6BQVN1i-Xw
Uoz5sM6_0PRQ1FsYnJATMjVZfa4otHiooZ_KcOlSWIDxhMDqfPOu60--1ej0eZBy Uoz5sM6_0PRQ1FsYnJATMjVZfa4otHiooZ_KcOlSWIDxhMDqfPOu60--1ej0eZBy
O7Ar_IZvzPAWqJ9agGFQIVGRZviXhN0WeErq9fVTcgeSUPsmurRSTYhTrNFLojqP O7Ar_IZvzPAWqJ9agGFQIVGRZviXhN0WeErq9fVTcgeSUPsmurRSTYhTrNFLojqP
qqk8pI61kn8GmZxA80-RUQ. qqk8pI61kn8GmZxA80-RUQ.
7kLQQst655TUxmDzysjRLXnD-nfLK5EQK7ODAUkwxc0aRb9NOgu0EMJgOR6Vz8eN 7kLQQst655TUxmDzysjRLXnD-nfLK5EQK7ODAUkwxc0aRb9NOgu0EMJgOR6Vz8eN
baf8six_OP6BRyUTYrCkH73-inD6Rc-7vc9eC5fcfSM. baf8six_OP6BRyUTYrCkH73-inD6Rc-7vc9eC5fcfSM.
COyXNSm-CdfAL22WIKcoyCgQwb85aLW3ttDkzNj_1Wg COyXNSm-CdfAL22WIKcoyCgQwb85aLW3ttDkzNj_1Wg
Appendix B. Relationship of JWTs to SAML Tokens Appendix B. Relationship of JWTs to SAML Tokens
SAML 2.0 [OASIS.saml-core-2.0-os] provides a standard for creating SAML 2.0 [OASIS.saml-core-2.0-os] provides a standard for creating
tokens with much greater expressivity and more security options than tokens with much greater expressivity and more security options than
supported by JWTs. However, the cost of this flexibility and supported by JWTs. However, the cost of this flexibility and
expressiveness is both size and complexity. In addition, SAML's use expressiveness is both size and complexity. In addition, SAML's use
of XML [W3C.CR-xml11-20021015] and XML DSIG [RFC3275] only of XML [W3C.CR-xml11-20021015] and XML DSIG [RFC3275] only
contributes to the size of SAML tokens. contributes to the size of SAML tokens.
skipping to change at page 23, line 9 skipping to change at page 23, line 22
Solutions for signing JSON content were previously explored by Magic Solutions for signing JSON content were previously explored by Magic
Signatures [MagicSignatures], JSON Simple Sign [JSS], and Canvas Signatures [MagicSignatures], JSON Simple Sign [JSS], and Canvas
Applications [CanvasApp], all of which influenced this draft. Dirk Applications [CanvasApp], all of which influenced this draft. Dirk
Balfanz, Yaron Y. Goland, John Panzer, and Paul Tarjan all made Balfanz, Yaron Y. Goland, John Panzer, and Paul Tarjan all made
significant contributions to the design of this specification. significant contributions to the design of this specification.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-03
o Added statement that "StringOrURI values are compared as case-
sensitive strings with no transformations or canonicalizations
applied".
o Indented artwork elements to better distinguish them from the body
text.
-02 -02
o Added an example of an encrypted JWT. o Added an example of an encrypted JWT.
o Added this language to Registration Templates: "This name is case o Added this language to Registration Templates: "This name is case
sensitive. Names that match other registered names in a case sensitive. Names that match other registered names in a case
insensitive manner SHOULD NOT be accepted." insensitive manner SHOULD NOT be accepted."
o Applied editorial suggestions. o Applied editorial suggestions.
 End of changes. 27 change blocks. 
56 lines changed or deleted 78 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/