idnits 2.17.1 draft-yusef-oauth-nested-jwt-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 8, 2019) is 1751 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OAuth Working Group R. Shekh-Yusef 3 Internet-Draft Avaya 4 Intended status: Standards Track July 8, 2019 5 Expires: January 9, 2020 7 Nested JSON Web Token (JWT) 8 draft-yusef-oauth-nested-jwt-01 10 Abstract 12 This specification extends the scope of the Nested JSON Web Token 13 (JWT) to allow the enclosing JWT to contain its own Claims Set in 14 addition to the enclosed JWT. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at https://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on January 9, 2020. 33 Copyright Notice 35 Copyright (c) 2019 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (https://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 This document may contain material from IETF Documents or IETF 49 Contributions published or made publicly available before November 50 10, 2008. The person(s) controlling the copyright in some of this 51 material may not have granted the IETF Trust the right to allow 52 modifications of such material outside the IETF Standards Process. 53 Without obtaining an adequate license from the person(s) controlling 54 the copyright in such materials, this document may not be modified 55 outside the IETF Standards Process, and derivative works of it may 56 not be created outside the IETF Standards Process, except to format 57 it for publication as an RFC or to translate it into languages other 58 than English. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 64 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 3. Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 4. JWT Content Type Header Parameter . . . . . . . . . . . . . . 3 67 5. JWT Content . . . . . . . . . . . . . . . . . . . . . . . . . 4 68 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 7. Security Considerations . . . . . . . . . . . . . . . . . . . 4 70 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 71 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 4 72 10. Normative References . . . . . . . . . . . . . . . . . . . . 5 73 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 75 1. Introduction 77 JSON Web Token (JWT) is a mechanism that is used to transfer claims 78 between two parties across security domains. Nested JWT is a JWT in 79 which the payload is another JWT. The current specification does not 80 define a means by which the enclosing JWT could have its own Claims 81 Set, only the enclosed JWT would have claims. 83 This specification extends the scope of the Nested JWT to allow the 84 enclosing JWT to contain its own Claims Set in addition to the 85 enclosed JWT. 87 1.1. Terminology 89 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 90 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 91 document are to be interpreted as described in [RFC2119]. 93 2. Overview 95 RFC7519 defines Nested JWT as a JWT in which nested signing and/or 96 encryption are employed. In Nested JWTs, a JWT is used as the 97 payload or plaintext value of an enclosing JWS or JWE structure, 98 respectively. 100 To indicate that the payload of an enclosing JWT is yet another JWT, 101 the value of the Content Type Parameter of the JOSE header, i.e. 102 "cty", must be set to "JWT", which means that the enclosing JWT 103 cannot have its own claims. 105 This document updates the enclosing JWT content to allow it to 106 represent a Claims Set and an enclosed JWT, using JSON data 107 structures, and updates the Content Type to indicate this new nested 108 content. 110 3. Use Case 112 The use case is for a telephony application that is based on the 113 "Native Apps Using the Browser" flow defined in RFC8252. The Native 114 App needs access to a telephony and non-telephony services that are 115 controlled by different authorization servers, where the Native App 116 can validate tokens issued by only one of these authorization 117 servers. 119 The Native App starts the process by interacting with a Client that 120 requires the user to authenticate itself using a Browser. The 121 Browser starts by contacting an AS, which redirects it to an OP. The 122 user authenticates to the OP and obtains a Code, and then gets 123 redirected back to AS. The Native App gets access to the Code, then 124 sends the Code to the AS, which then interacts with the OP to 125 exchange the Code for an ID Token and OP Access Token. Since the 126 Native App has no way of validating the OP Access Token, when the AS 127 creates an AS Access Token, it embeds the OP Access Token inside the 128 AS Access Token, and returns it back to the Native App. The Native 129 App gets the AS Access Token and is able to validate it and extract 130 the OP Access Token, and access the different services protected with 131 these tokens. 133 4. JWT Content Type Header Parameter 135 The JOSE Header contains an optional parameter that could be used to 136 indicate the type of the payload of a JWT. With a typical Nested 137 JWT, the value of the "cty" header must be "JWT". To indicate that 138 the payload contains a Claims Set in addition to the JWT, the value 139 of the "cty" header must be "NJWT". 141 5. JWT Content 143 The payload of the enclosing JWT is JSON object that contains the 144 Claims Set, and one new claim that is used to hold the enclosed JWT. 146 This document defines a new claim, "njwt", that is used to contain 147 the enclosed JWT. 149 6. Example 151 { 152 "alg": "HS256", 153 "typ": "JWT", 154 "cty": "NJWT" 155 } 157 { 158 "sub": "1234567890", 159 "name": "John Doe", 160 "iat": 1516239022, 161 "njwt": "" 162 } 164 7. Security Considerations 166 TODO 168 8. IANA Considerations 170 TODO 172 9. Acknowledgments 174 TODO 176 10. Normative References 178 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 179 Requirement Levels", RFC 2119, March 1997. 181 Author's Address 183 Rifaat Shekh-Yusef 184 Avaya 185 425 Legget Drive 186 Ottawa, Ontario 187 Canada 189 Phone: +1-613-595-9106 190 EMail: rifaat.ietf@gmail.com