| < draft-ietf-oauth-json-web-token-14.txt | draft-ietf-oauth-json-web-token-15.txt > | |||
|---|---|---|---|---|
| OAuth Working Group M. Jones | OAuth Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track J. Bradley | Intended status: Standards Track J. Bradley | |||
| Expires: July 2, 2014 Ping Identity | Expires: July 24, 2014 Ping Identity | |||
| N. Sakimura | N. Sakimura | |||
| NRI | NRI | |||
| December 29, 2013 | January 20, 2014 | |||
| JSON Web Token (JWT) | JSON Web Token (JWT) | |||
| draft-ietf-oauth-json-web-token-14 | draft-ietf-oauth-json-web-token-15 | |||
| Abstract | Abstract | |||
| JSON Web Token (JWT) is a compact URL-safe means of representing | JSON Web Token (JWT) is a compact URL-safe means of representing | |||
| claims to be transferred between two parties. The claims in a JWT | claims to be transferred between two parties. The claims in a JWT | |||
| are encoded as a JavaScript Object Notation (JSON) object that is | are encoded as a JavaScript Object Notation (JSON) object that is | |||
| used as the payload of a JSON Web Signature (JWS) structure or as the | used as the payload of a JSON Web Signature (JWS) structure or as the | |||
| plaintext of a JSON Web Encryption (JWE) structure, enabling the | plaintext of a JSON Web Encryption (JWE) structure, enabling the | |||
| claims to be digitally signed or MACed and/or encrypted. | claims to be digitally signed or MACed and/or encrypted. | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 2, 2014. | This Internet-Draft will expire on July 24, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 4, line 10 ¶ | skipping to change at page 4, line 10 ¶ | |||
| Appendix C. Relationship of JWTs to Simple Web Tokens (SWTs) . . 25 | Appendix C. Relationship of JWTs to Simple Web Tokens (SWTs) . . 25 | |||
| Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 25 | Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 25 | |||
| Appendix E. Document History . . . . . . . . . . . . . . . . . . 25 | Appendix E. Document History . . . . . . . . . . . . . . . . . . 25 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 1. Introduction | 1. Introduction | |||
| JSON Web Token (JWT) is a compact claims representation format | JSON Web Token (JWT) is a compact claims representation format | |||
| intended for space constrained environments such as HTTP | intended for space constrained environments such as HTTP | |||
| Authorization headers and URI query parameters. JWTs encode claims | Authorization headers and URI query parameters. JWTs encode claims | |||
| to be transmitted as a JavaScript Object Notation (JSON) [RFC4627] | to be transmitted as a JavaScript Object Notation (JSON) | |||
| object that is used as the payload of a JSON Web Signature (JWS) | [I-D.ietf-json-rfc4627bis] object that is used as the payload of a | |||
| [JWS] structure or as the plaintext of a JSON Web Encryption (JWE) | JSON Web Signature (JWS) [JWS] structure or as the plaintext of a | |||
| [JWE] structure, enabling the claims to be digitally signed or MACed | JSON Web Encryption (JWE) [JWE] structure, enabling the claims to be | |||
| and/or encrypted. JWTs are always represented using the JWS Compact | digitally signed or MACed and/or encrypted. JWTs are always | |||
| Serialization or the JWE Compact Serialization. | represented using the JWS Compact Serialization or the JWE Compact | |||
| Serialization. | ||||
| The suggested pronunciation of JWT is the same as the English word | The suggested pronunciation of JWT is the same as the English word | |||
| "jot". | "jot". | |||
| 1.1. Notational Conventions | 1.1. Notational Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in Key words for use in | document are to be interpreted as described in Key words for use in | |||
| RFCs to Indicate Requirement Levels [RFC2119]. If these words are | RFCs to Indicate Requirement Levels [RFC2119]. If these words are | |||
| skipping to change at page 6, line 9 ¶ | skipping to change at page 6, line 9 ¶ | |||
| IntDate A JSON numeric value representing the number of seconds from | IntDate A JSON numeric value representing the number of seconds from | |||
| 1970-01-01T0:0:0Z UTC until the specified UTC date/time. See RFC | 1970-01-01T0:0:0Z UTC until the specified UTC date/time. See RFC | |||
| 3339 [RFC3339] for details regarding date/times in general and UTC | 3339 [RFC3339] for details regarding date/times in general and UTC | |||
| in particular. | in particular. | |||
| 3. JSON Web Token (JWT) Overview | 3. JSON Web Token (JWT) Overview | |||
| JWTs represent a set of claims as a JSON object that is encoded in a | JWTs represent a set of claims as a JSON object that is encoded in a | |||
| JWS and/or JWE structure. This JSON object is the JWT Claims Set. As | JWS and/or JWE structure. This JSON object is the JWT Claims Set. As | |||
| per RFC 4627 [RFC4627] Section 2.2, the JSON object consists of zero | per Section 4 of [I-D.ietf-json-rfc4627bis], the JSON object consists | |||
| or more name/value pairs (or members), where the names are strings | of zero or more name/value pairs (or members), where the names are | |||
| and the values are arbitrary JSON values. These members are the | strings and the values are arbitrary JSON values. These members are | |||
| claims represented by the JWT. | the claims represented by the JWT. | |||
| The member names within the JWT Claims Set are referred to as Claim | The member names within the JWT Claims Set are referred to as Claim | |||
| Names. The corresponding values are referred to as Claim Values. | Names. The corresponding values are referred to as Claim Values. | |||
| The contents of the JWT Header describe the cryptographic operations | The contents of the JWT Header describe the cryptographic operations | |||
| applied to the JWT Claims Set. If the JWT Header is a JWS Header, the | applied to the JWT Claims Set. If the JWT Header is a JWS Header, the | |||
| JWT is represented as a JWS, and the claims are digitally signed or | JWT is represented as a JWS, and the claims are digitally signed or | |||
| MACed, with the JWT Claims Set being the JWS Payload. If the JWT | MACed, with the JWT Claims Set being the JWS Payload. If the JWT | |||
| Header is a JWE Header, the JWT is represented as a JWE, and the | Header is a JWE Header, the JWT is represented as a JWE, and the | |||
| claims are encrypted, with the JWT Claims Set being the input | claims are encrypted, with the JWT Claims Set being the input | |||
| skipping to change at page 13, line 42 ¶ | skipping to change at page 13, line 42 ¶ | |||
| 1. The JWT MUST contain at least one period ('.') character. | 1. The JWT MUST contain at least one period ('.') character. | |||
| 2. Let the Encoded JWT Header be the portion of the JWT before the | 2. Let the Encoded JWT Header be the portion of the JWT before the | |||
| first period ('.') character. | first period ('.') character. | |||
| 3. The Encoded JWT Header MUST be successfully base64url decoded | 3. The Encoded JWT Header MUST be successfully base64url decoded | |||
| following the restriction given in this specification that no | following the restriction given in this specification that no | |||
| padding characters have been used. | padding characters have been used. | |||
| 4. The resulting JWT Header MUST be completely valid JSON syntax | 4. The resulting JWT Header MUST be completely valid JSON syntax | |||
| conforming to RFC 4627 [RFC4627]. | conforming to [I-D.ietf-json-rfc4627bis]. | |||
| 5. The resulting JWT Header MUST be validated to only include | 5. The resulting JWT Header MUST be validated to only include | |||
| parameters and values whose syntax and semantics are both | parameters and values whose syntax and semantics are both | |||
| understood and supported or that are specified as being ignored | understood and supported or that are specified as being ignored | |||
| when not understood. | when not understood. | |||
| 6. Determine whether the JWT is a JWS or a JWE using any of the | 6. Determine whether the JWT is a JWS or a JWE using any of the | |||
| methods described in Section 9 of [JWE]. | methods described in Section 9 of [JWE]. | |||
| 7. Depending upon whether the JWT is a JWS or JWE, there are two | 7. Depending upon whether the JWT is a JWS or JWE, there are two | |||
| skipping to change at page 14, line 24 ¶ | skipping to change at page 14, line 24 ¶ | |||
| JWE Plaintext. | JWE Plaintext. | |||
| 8. If the JWT Header contains a "cty" (content type) value of | 8. If the JWT Header contains a "cty" (content type) value of | |||
| "JWT", then the Message is a JWT that was the subject of nested | "JWT", then the Message is a JWT that was the subject of nested | |||
| signing or encryption operations. In this case, return to Step | signing or encryption operations. In this case, return to Step | |||
| 1, using the Message as the JWT. | 1, using the Message as the JWT. | |||
| 9. Otherwise, let the JWT Claims Set be the Message. | 9. Otherwise, let the JWT Claims Set be the Message. | |||
| 10. The JWT Claims Set MUST be completely valid JSON syntax | 10. The JWT Claims Set MUST be completely valid JSON syntax | |||
| conforming to RFC 4627 [RFC4627]. | conforming to [I-D.ietf-json-rfc4627bis]. | |||
| 7.1. String Comparison Rules | 7.1. String Comparison Rules | |||
| Processing a JWT inevitably requires comparing known strings to | Processing a JWT inevitably requires comparing known strings to | |||
| values in JSON objects. For example, in checking what the algorithm | values in JSON objects. For example, in checking what the algorithm | |||
| is, the Unicode string encoding "alg" will be checked against the | is, the Unicode string encoding "alg" will be checked against the | |||
| member names in the JWT Header to see if there is a matching Header | member names in the JWT Header to see if there is a matching Header | |||
| Parameter Name. | Parameter Name. | |||
| Comparisons between JSON strings and other Unicode strings MUST be | Comparisons between JSON strings and other Unicode strings MUST be | |||
| skipping to change at page 20, line 13 ¶ | skipping to change at page 20, line 13 ¶ | |||
| specification. | specification. | |||
| 12. References | 12. References | |||
| 12.1. Normative References | 12.1. Normative References | |||
| [ECMAScript] | [ECMAScript] | |||
| Ecma International, "ECMAScript Language Specification, | Ecma International, "ECMAScript Language Specification, | |||
| 5.1 Edition", ECMA 262, June 2011. | 5.1 Edition", ECMA 262, June 2011. | |||
| [I-D.ietf-json-rfc4627bis] | ||||
| Bray, T., "The JSON Data Interchange Format", | ||||
| draft-ietf-json-rfc4627bis-10 (work in progress), | ||||
| December 2013. | ||||
| [IANA.MediaTypes] | [IANA.MediaTypes] | |||
| Internet Assigned Numbers Authority (IANA), "MIME Media | Internet Assigned Numbers Authority (IANA), "MIME Media | |||
| Types", 2005. | Types", 2005. | |||
| [JWA] Jones, M., "JSON Web Algorithms (JWA)", | [JWA] Jones, M., "JSON Web Algorithms (JWA)", | |||
| draft-ietf-jose-json-web-algorithms (work in progress), | draft-ietf-jose-json-web-algorithms (work in progress), | |||
| December 2013. | January 2014. | |||
| [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web | [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web | |||
| Encryption (JWE)", draft-ietf-jose-json-web-encryption | Encryption (JWE)", draft-ietf-jose-json-web-encryption | |||
| (work in progress), December 2013. | (work in progress), January 2014. | |||
| [JWK] Jones, M., "JSON Web Key (JWK)", | [JWK] Jones, M., "JSON Web Key (JWK)", | |||
| draft-ietf-jose-json-web-key (work in progress), | draft-ietf-jose-json-web-key (work in progress), | |||
| December 2013. | January 2014. | |||
| [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", draft-ietf-jose-json-web-signature (work | Signature (JWS)", draft-ietf-jose-json-web-signature (work | |||
| in progress), December 2013. | in progress), January 2014. | |||
| [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
| Extensions (MIME) Part Two: Media Types", RFC 2046, | Extensions (MIME) Part Two: Media Types", RFC 2046, | |||
| November 1996. | November 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the | [RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the | |||
| Internet: Timestamps", RFC 3339, July 2002. | Internet: Timestamps", RFC 3339, July 2002. | |||
| [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, | |||
| RFC 3986, January 2005. | RFC 3986, January 2005. | |||
| [RFC4627] Crockford, D., "The application/json Media Type for | ||||
| JavaScript Object Notation (JSON)", RFC 4627, July 2006. | ||||
| [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | |||
| Encodings", RFC 4648, October 2006. | Encodings", RFC 4648, October 2006. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, | IANA Considerations Section in RFCs", BCP 26, RFC 5226, | |||
| May 2008. | May 2008. | |||
| [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | |||
| for OAuth", RFC 6755, October 2012. | for OAuth", RFC 6755, October 2012. | |||
| skipping to change at page 24, line 40 ¶ | skipping to change at page 24, line 40 ¶ | |||
| than supported by JWTs. However, the cost of this flexibility and | than supported by JWTs. However, the cost of this flexibility and | |||
| expressiveness is both size and complexity. SAML's use of XML | expressiveness is both size and complexity. SAML's use of XML | |||
| [W3C.CR-xml11-20021015] and XML DSIG [RFC3275] contributes to the | [W3C.CR-xml11-20021015] and XML DSIG [RFC3275] contributes to the | |||
| size of SAML assertions; its use of XML and especially XML | size of SAML assertions; its use of XML and especially XML | |||
| Canonicalization [W3C.REC-xml-c14n-20010315] contributes to their | Canonicalization [W3C.REC-xml-c14n-20010315] contributes to their | |||
| complexity. | complexity. | |||
| JWTs are intended to provide a simple security token format that is | JWTs are intended to provide a simple security token format that is | |||
| small enough to fit into HTTP headers and query arguments in URIs. | small enough to fit into HTTP headers and query arguments in URIs. | |||
| It does this by supporting a much simpler token model than SAML and | It does this by supporting a much simpler token model than SAML and | |||
| using the JSON [RFC4627] object encoding syntax. It also supports | using the JSON [I-D.ietf-json-rfc4627bis] object encoding syntax. It | |||
| securing tokens using Message Authentication Codes (MACs) and digital | also supports securing tokens using Message Authentication Codes | |||
| signatures using a smaller (and less flexible) format than XML DSIG. | (MACs) and digital signatures using a smaller (and less flexible) | |||
| format than XML DSIG. | ||||
| Therefore, while JWTs can do some of the things SAML assertions do, | Therefore, while JWTs can do some of the things SAML assertions do, | |||
| JWTs are not intended as a full replacement for SAML assertions, but | JWTs are not intended as a full replacement for SAML assertions, but | |||
| rather as a token format to be used when ease of implementation or | rather as a token format to be used when ease of implementation or | |||
| compactness are considerations. | compactness are considerations. | |||
| SAML Assertions are always statements made by an entity about a | SAML Assertions are always statements made by an entity about a | |||
| subject. JWTs are often used in the same manner, with the entity | subject. JWTs are often used in the same manner, with the entity | |||
| making the statements being represented by the "iss" (issuer) claim, | making the statements being represented by the "iss" (issuer) claim, | |||
| and the subject being represented by the "sub" (subject) claim. | and the subject being represented by the "sub" (subject) claim. | |||
| skipping to change at page 25, line 47 ¶ | skipping to change at page 26, line 4 ¶ | |||
| John Panzer, Emmanuel Raviart, David Recordon, Eric Rescorla, Jim | John Panzer, Emmanuel Raviart, David Recordon, Eric Rescorla, Jim | |||
| Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner. | Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner. | |||
| Hannes Tschofenig and Derek Atkins chaired the OAuth working group | Hannes Tschofenig and Derek Atkins chaired the OAuth working group | |||
| and Sean Turner and Stephen Farrell served as Security area directors | and Sean Turner and Stephen Farrell served as Security area directors | |||
| during the creation of this specification. | during the creation of this specification. | |||
| Appendix E. Document History | Appendix E. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -15 | ||||
| o Replaced references to RFC 4627 with draft-ietf-json-rfc4627bis. | ||||
| -14 | -14 | |||
| o Referenced the JWE section on Distinguishing between JWS and JWE | o Referenced the JWE section on Distinguishing between JWS and JWE | |||
| Objects. | Objects. | |||
| -13 | -13 | |||
| o Added Claim Description registry field. | o Added Claim Description registry field. | |||
| o Used Header Parameter Description registry field. | o Used Header Parameter Description registry field. | |||
| o Removed the phrases "JWA signing algorithms" and "JWA encryption | o Removed the phrases "JWA signing algorithms" and "JWA encryption | |||
| End of changes. 18 change blocks. | ||||
| 27 lines changed or deleted | 35 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||