| < draft-ietf-oauth-json-web-token-13.txt | draft-ietf-oauth-json-web-token-14.txt > | |||
|---|---|---|---|---|
| OAuth Working Group M. Jones | OAuth Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track J. Bradley | Intended status: Standards Track J. Bradley | |||
| Expires: May 16, 2014 Ping Identity | Expires: July 2, 2014 Ping Identity | |||
| N. Sakimura | N. Sakimura | |||
| NRI | NRI | |||
| November 12, 2013 | December 29, 2013 | |||
| JSON Web Token (JWT) | JSON Web Token (JWT) | |||
| draft-ietf-oauth-json-web-token-13 | draft-ietf-oauth-json-web-token-14 | |||
| Abstract | Abstract | |||
| JSON Web Token (JWT) is a compact URL-safe means of representing | JSON Web Token (JWT) is a compact URL-safe means of representing | |||
| claims to be transferred between two parties. The claims in a JWT | claims to be transferred between two parties. The claims in a JWT | |||
| are encoded as a JavaScript Object Notation (JSON) object that is | are encoded as a JavaScript Object Notation (JSON) object that is | |||
| used as the payload of a JSON Web Signature (JWS) structure or as the | used as the payload of a JSON Web Signature (JWS) structure or as the | |||
| plaintext of a JSON Web Encryption (JWE) structure, enabling the | plaintext of a JSON Web Encryption (JWE) structure, enabling the | |||
| claims to be digitally signed or MACed and/or encrypted. | claims to be digitally signed or MACed and/or encrypted. | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 16, 2014. | This Internet-Draft will expire on July 2, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 13, line 49 ¶ | skipping to change at page 13, line 49 ¶ | |||
| padding characters have been used. | padding characters have been used. | |||
| 4. The resulting JWT Header MUST be completely valid JSON syntax | 4. The resulting JWT Header MUST be completely valid JSON syntax | |||
| conforming to RFC 4627 [RFC4627]. | conforming to RFC 4627 [RFC4627]. | |||
| 5. The resulting JWT Header MUST be validated to only include | 5. The resulting JWT Header MUST be validated to only include | |||
| parameters and values whose syntax and semantics are both | parameters and values whose syntax and semantics are both | |||
| understood and supported or that are specified as being ignored | understood and supported or that are specified as being ignored | |||
| when not understood. | when not understood. | |||
| 6. Determine whether the JWT is a JWS or a JWE by examining the | 6. Determine whether the JWT is a JWS or a JWE using any of the | |||
| "alg" (algorithm) header value and optionally, the "enc" | methods described in Section 9 of [JWE]. | |||
| (encryption method) header value, if present. | ||||
| 7. Depending upon whether the JWT is a JWS or JWE, there are two | 7. Depending upon whether the JWT is a JWS or JWE, there are two | |||
| cases: | cases: | |||
| * If the JWT is a JWS, all steps specified in [JWS] for | * If the JWT is a JWS, all steps specified in [JWS] for | |||
| validating a JWS MUST be followed. Let the Message be the | validating a JWS MUST be followed. Let the Message be the | |||
| result of base64url decoding the JWS Payload. | result of base64url decoding the JWS Payload. | |||
| * Else, if the JWT is a JWE, all steps specified in [JWE] for | * Else, if the JWT is a JWE, all steps specified in [JWE] for | |||
| validating a JWE MUST be followed. Let the Message be the | validating a JWE MUST be followed. Let the Message be the | |||
| skipping to change at page 20, line 19 ¶ | skipping to change at page 20, line 19 ¶ | |||
| [ECMAScript] | [ECMAScript] | |||
| Ecma International, "ECMAScript Language Specification, | Ecma International, "ECMAScript Language Specification, | |||
| 5.1 Edition", ECMA 262, June 2011. | 5.1 Edition", ECMA 262, June 2011. | |||
| [IANA.MediaTypes] | [IANA.MediaTypes] | |||
| Internet Assigned Numbers Authority (IANA), "MIME Media | Internet Assigned Numbers Authority (IANA), "MIME Media | |||
| Types", 2005. | Types", 2005. | |||
| [JWA] Jones, M., "JSON Web Algorithms (JWA)", | [JWA] Jones, M., "JSON Web Algorithms (JWA)", | |||
| draft-ietf-jose-json-web-algorithms (work in progress), | draft-ietf-jose-json-web-algorithms (work in progress), | |||
| November 2013. | December 2013. | |||
| [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web | [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web | |||
| Encryption (JWE)", draft-ietf-jose-json-web-encryption | Encryption (JWE)", draft-ietf-jose-json-web-encryption | |||
| (work in progress), November 2013. | (work in progress), December 2013. | |||
| [JWK] Jones, M., "JSON Web Key (JWK)", | [JWK] Jones, M., "JSON Web Key (JWK)", | |||
| draft-ietf-jose-json-web-key (work in progress), | draft-ietf-jose-json-web-key (work in progress), | |||
| November 2013. | December 2013. | |||
| [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", draft-ietf-jose-json-web-signature (work | Signature (JWS)", draft-ietf-jose-json-web-signature (work | |||
| in progress), November 2013. | in progress), December 2013. | |||
| [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
| Extensions (MIME) Part Two: Media Types", RFC 2046, | Extensions (MIME) Part Two: Media Types", RFC 2046, | |||
| November 1996. | November 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the | [RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the | |||
| Internet: Timestamps", RFC 3339, July 2002. | Internet: Timestamps", RFC 3339, July 2002. | |||
| skipping to change at page 25, line 48 ¶ | skipping to change at page 25, line 48 ¶ | |||
| Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner. | Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner. | |||
| Hannes Tschofenig and Derek Atkins chaired the OAuth working group | Hannes Tschofenig and Derek Atkins chaired the OAuth working group | |||
| and Sean Turner and Stephen Farrell served as Security area directors | and Sean Turner and Stephen Farrell served as Security area directors | |||
| during the creation of this specification. | during the creation of this specification. | |||
| Appendix E. Document History | Appendix E. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -14 | ||||
| o Referenced the JWE section on Distinguishing between JWS and JWE | ||||
| Objects. | ||||
| -13 | -13 | |||
| o Added Claim Description registry field. | o Added Claim Description registry field. | |||
| o Used Header Parameter Description registry field. | o Used Header Parameter Description registry field. | |||
| o Removed the phrases "JWA signing algorithms" and "JWA encryption | o Removed the phrases "JWA signing algorithms" and "JWA encryption | |||
| algorithms". | algorithms". | |||
| o Removed the term JSON Text Object. | o Removed the term JSON Text Object. | |||
| -12 | -12 | |||
| End of changes. 11 change blocks. | ||||
| 11 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||