< draft-ietf-oauth-json-web-token-07.txt		draft-ietf-oauth-json-web-token-08.txt >
	OAuth Working Group M. Jones		OAuth Working Group M. Jones
	Internet-Draft Microsoft		Internet-Draft Microsoft
	Intended status: Standards Track J. Bradley		Intended status: Standards Track J. Bradley
	Expires: October 25, 2013 Ping Identity		Expires: November 29, 2013 Ping Identity
	N. Sakimura		N. Sakimura
	NRI		NRI
	April 23, 2013		May 28, 2013
	JSON Web Token (JWT)		JSON Web Token (JWT)
	draft-ietf-oauth-json-web-token-07		draft-ietf-oauth-json-web-token-08
	Abstract		Abstract
	JSON Web Token (JWT) is a compact URL-safe means of representing		JSON Web Token (JWT) is a compact URL-safe means of representing
	claims to be transferred between two parties. The claims in a JWT		claims to be transferred between two parties. The claims in a JWT
	are encoded as a JavaScript Object Notation (JSON) object that is		are encoded as a JavaScript Object Notation (JSON) object that is
	used as the payload of a JSON Web Signature (JWS) structure or as the		used as the payload of a JSON Web Signature (JWS) structure or as the
	plaintext of a JSON Web Encryption (JWE) structure, enabling the		plaintext of a JSON Web Encryption (JWE) structure, enabling the
	claims to be digitally signed or MACed and/or encrypted.		claims to be digitally signed or MACed and/or encrypted.
	skipping to change at page 1, line 41 ¶		skipping to change at page 1, line 41 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on October 25, 2013.		This Internet-Draft will expire on November 29, 2013.
	Copyright Notice		Copyright Notice
	Copyright (c) 2013 IETF Trust and the persons identified as the		Copyright (c) 2013 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 9, line 6 ¶		skipping to change at page 9, line 6 ¶
	There are three classes of JWT Claim Names: Reserved Claim Names,		There are three classes of JWT Claim Names: Reserved Claim Names,
	Public Claim Names, and Private Claim Names.		Public Claim Names, and Private Claim Names.
	4.1. Reserved Claim Names		4.1. Reserved Claim Names
	The following Claim Names are reserved. None of the claims defined		The following Claim Names are reserved. None of the claims defined
	below are intended to be mandatory to use, but rather, provide a		below are intended to be mandatory to use, but rather, provide a
	starting point for a set of useful, interoperable claims. All the		starting point for a set of useful, interoperable claims. All the
	names are short because a core goal of JWTs is for the representation		names are short because a core goal of JWTs is for the representation
	to be compact. Additional reserved Claim Names MAY be defined via		to be compact. Additional reserved Claim Names can be defined via
	the IANA JSON Web Token Claims registry Section 9.1.		the IANA JSON Web Token Claims registry Section 9.1.
	4.1.1. "iss" (Issuer) Claim		4.1.1. "iss" (Issuer) Claim
	The "iss" (issuer) claim identifies the principal that issued the		The "iss" (issuer) claim identifies the principal that issued the
	JWT. The processing of this claim is generally application specific.		JWT. The processing of this claim is generally application specific.
	The "iss" value is a case sensitive string containing a StringOrURI		The "iss" value is a case sensitive string containing a StringOrURI
	value. Use of this claim is OPTIONAL.		value. Use of this claim is OPTIONAL.
	4.1.2. "sub" (Subject) Claim		4.1.2. "sub" (Subject) Claim
	skipping to change at page 19, line 13 ¶		skipping to change at page 19, line 13 ¶
	cryptographic concerns about the potential need to sign after		cryptographic concerns about the potential need to sign after
	encryption that apply in many contexts do not apply to this		encryption that apply in many contexts do not apply to this
	specification.		specification.
	11. References		11. References
	11.1. Normative References		11.1. Normative References
	[JWA] Jones, M., "JSON Web Algorithms (JWA)",		[JWA] Jones, M., "JSON Web Algorithms (JWA)",
	draft-ietf-jose-json-web-algorithms (work in progress),		draft-ietf-jose-json-web-algorithms (work in progress),
	April 2013.		May 2013.
	[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web		[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web
	Encryption (JWE)", draft-ietf-jose-json-web-encryption		Encryption (JWE)", draft-ietf-jose-json-web-encryption
	(work in progress), April 2013.		(work in progress), May 2013.
	[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web		[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
	Signature (JWS)", draft-ietf-jose-json-web-signature (work		Signature (JWS)", draft-ietf-jose-json-web-signature (work
	in progress), April 2013.		in progress), May 2013.
	[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail		[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
	Extensions (MIME) Part Two: Media Types", RFC 2046,		Extensions (MIME) Part Two: Media Types", RFC 2046,
	November 1996.		November 1996.
	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate		[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", BCP 14, RFC 2119, March 1997.		Requirement Levels", BCP 14, RFC 2119, March 1997.
	[RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the		[RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the
	Internet: Timestamps", RFC 3339, July 2002.		Internet: Timestamps", RFC 3339, July 2002.
	skipping to change at page 21, line 26 ¶		skipping to change at page 21, line 26 ¶
	Other than using the octets of the UTF-8 representation of the JSON		Other than using the octets of the UTF-8 representation of the JSON
	Claims Set from Section 3.1 as the plaintext value, the computation		Claims Set from Section 3.1 as the plaintext value, the computation
	of this JWT is identical to the computation of the JWE in Appendix		of this JWT is identical to the computation of the JWE in Appendix
	A.2 of [JWE], including the keys used.		A.2 of [JWE], including the keys used.
	The final result in this example (with line breaks for display		The final result in this example (with line breaks for display
	purposes only) is:		purposes only) is:
	eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.		eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.
	EcA0HJqCj8MhE2Gu-d-wrNgxBabw3eQg7feWIelT_k0g_MOf7imKPsFqtiy3k08u		QR1Owv2ug2WyPBnbQrRARTeEk9kDO2w8qDcjiHnSJflSdv1iNqhWXaKH4MqAkQtM
	8ynLJ-f9FaPXJZxk0y9JQm5nM-CQchlwb_R-vxA3QO-MuUgqDxhFSWhcmIfvUdme		oNfABIPJaZm0HaA415sv3aeuBWnD8J-Ui7Ah6cWafs3ZwwFKDFUUsWHSK-IPKxLG
	ezpuGpcEBv_Z9P-RiliSGqnveR_FW8HabEbypZa6lOkkSPYOc_qVm3FV6bdRlVT3		TkND09XyjORj_CHAgOPJ-Sd8ONQRnJvWn_hXV1BNMHzUjPyYwEsRhDhzjAD26ima
	wQblSnRaGtNNad5ITsZgjdIdTUu4h6ljGXrZNaXMgGLQtwbHzr07I2qxLyaX0zIE		sOTsgruobpYGoQcXUwFDn7moXPRfDE8-NoQX7N7ZYMmpUDkR-Cx9obNGwJQ3nM52
	tiLOZTEs3Z-a5P3s0wLkhRuFbM3nd-WXJcrPGDOPNzvGt_Qz4bOz5vB9c1UzMaZZ		YCitxoQVPzjbl7WBuB7AohdBoZOdZ24WlN1lVIeh8v1K4krB8xgKvRU8kgFrEn_a
	RVVqVa0mi-Orar8uOW_wGQ.		1rZgN5TiysnmzTROF869lQ.
	AxY8DCtDaGlsbGljb3RoZQ.		AxY8DCtDaGlsbGljb3RoZQ.
	MKOle7UQrG6nSxTLX6Mqwt0orbHvAKeWnDYvpIAeZ72deHxz3roJDXQyhxx0wKaM		MKOle7UQrG6nSxTLX6Mqwt0orbHvAKeWnDYvpIAeZ72deHxz3roJDXQyhxx0wKaM
	HDjUEOKIwrtkHthpqEanSBNYHZgmNOV7sln1Eu9g3J8.		HDjUEOKIwrtkHthpqEanSBNYHZgmNOV7sln1Eu9g3J8.
	_k19B2pzd5OvZ-ngGi8cZw		fiK51VwhsxJ-siBMR-YFiA
	Appendix B. Relationship of JWTs to SAML Assertions		Appendix B. Relationship of JWTs to SAML Assertions
	SAML 2.0 [OASIS.saml-core-2.0-os] provides a standard for creating		SAML 2.0 [OASIS.saml-core-2.0-os] provides a standard for creating
	security tokens with greater expressivity and more security options		security tokens with greater expressivity and more security options
	than supported by JWTs. However, the cost of this flexibility and		than supported by JWTs. However, the cost of this flexibility and
	expressiveness is both size and complexity. SAML's use of XML		expressiveness is both size and complexity. SAML's use of XML
	[W3C.CR-xml11-20021015] and XML DSIG [RFC3275] contributes to the		[W3C.CR-xml11-20021015] and XML DSIG [RFC3275] contributes to the
	size of SAML assertions; its use of XML and especially XML		size of SAML assertions; its use of XML and especially XML
	Canonicalization [W3C.REC-xml-c14n-20010315] contributes to their		Canonicalization [W3C.REC-xml-c14n-20010315] contributes to their
	skipping to change at page 23, line 15 ¶		skipping to change at page 23, line 15 ¶
	Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner.		Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner.
	Hannes Tschofenig and Derek Atkins chaired the OAuth working group		Hannes Tschofenig and Derek Atkins chaired the OAuth working group
	and Sean Turner and Stephen Farrell served as Security area directors		and Sean Turner and Stephen Farrell served as Security area directors
	during the creation of this specification.		during the creation of this specification.
	Appendix E. Document History		Appendix E. Document History
	[[ to be removed by the RFC editor before publication as an RFC ]]		[[ to be removed by the RFC editor before publication as an RFC ]]
			-08
			o Tracked a change to how JWEs are computed (which only affected the
			example encrypted JWT value).
	-07		-07
	o Defined that the default action for claims that are not understood		o Defined that the default action for claims that are not understood
	is to ignore them unless otherwise specified by applications.		is to ignore them unless otherwise specified by applications.
	o Changed from using the term "byte" to "octet" when referring to 8		o Changed from using the term "byte" to "octet" when referring to 8
	bit values.		bit values.
	o Tracked encryption computation changes in the JWE specification.		o Tracked encryption computation changes in the JWE specification.
End of changes. 11 change blocks.
	15 lines changed or deleted		20 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/